Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1649098
MD5:eb880b186be6092a0dc71d001c2a6c73
SHA1:c1c2e742becf358ace89e2472e70ccb96bf287a0
SHA256:e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00
Tags:exeuser-jstrosch
Infos:

Detection

DarkVision Rat
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Windows Binaries Write Suspicious Extensions
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to load drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution From GUID Like Folder Names
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EB880B186BE6092A0DC71D001C2A6C73)
    • cmd.exe (PID: 7152 cmdline: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6416 cmdline: powershell.exe Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • svchost.exe (PID: 6440 cmdline: "C:\Windows\system32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • tzutil.exe (PID: 6076 cmdline: "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" "" MD5: ACB40D712D1158CDE87A02CB4F16B4D4)
        • powershell.exe (PID: 3348 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2876 cmdline: powershell Remove-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7008 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • w32tm.exe (PID: 1232 cmdline: "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" "" MD5: 15BDC4BD67925EF33B926843B3B8154B)
  • svchost.exe (PID: 7116 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: DarkVision Rat

{"C2": "82.29.67.160", "Port": 443}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.965877867.0000000000926000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
    00000000.00000002.965877867.0000000000926000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000005.00000002.2199674916.0000024DE6FA8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
        00000005.00000002.2199674916.0000024DE6FA8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000002.964219117.0000000000434000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.svchost.exe.24de6f70000.0.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
              5.2.svchost.exe.24de6f70000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                5.2.svchost.exe.24de6f70000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x36ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x36e18:$s1: CoGetObject
                • 0x36eb0:$s2: Elevation:Administrator!new:
                0.2.file.exe.92bfe8.1.raw.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                  0.2.file.exe.92bfe8.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 6 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 6440, TargetFilename: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6884, ParentProcessName: file.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 7152, ProcessName: cmd.exe
                    Sigma detected: Windows Binaries Write Suspicious Extensions
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 6440, TargetFilename: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\svchost.exe, ProcessId: 6440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6884, ParentProcessName: file.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 7152, ProcessName: cmd.exe
                    Sigma detected: Suspicious Execution From GUID Like Folder Names
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\system32\svchost.exe", ParentImage: C:\Windows\System32\svchost.exe, ParentProcessId: 6440, ParentProcessName: svchost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, ProcessId: 7008, ProcessName: cmd.exe
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\svchost.exe", CommandLine: "C:\Windows\system32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6884, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\system32\svchost.exe", ProcessId: 6440, ProcessName: svchost.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7152, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 6416, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\system32\svchost.exe", CommandLine: "C:\Windows\system32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6884, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\system32\svchost.exe", ProcessId: 6440, ProcessName: svchost.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-26T14:17:51.942125+010020283713Unknown Traffic192.168.2.849685104.26.8.202443TCP
                    2025-03-26T14:17:54.670747+010020283713Unknown Traffic192.168.2.849687104.26.8.202443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-26T14:17:49.692671+010020456181A Network Trojan was detected192.168.2.84968482.29.67.160443TCP
                    2025-03-26T14:17:53.695849+010020456181A Network Trojan was detected192.168.2.84968682.29.67.160443TCP
                    2025-03-26T14:17:57.726000+010020456181A Network Trojan was detected192.168.2.84969382.29.67.160443TCP
                    2025-03-26T14:18:01.752574+010020456181A Network Trojan was detected192.168.2.84972182.29.67.160443TCP
                    2025-03-26T14:18:05.768042+010020456181A Network Trojan was detected192.168.2.84974282.29.67.160443TCP
                    2025-03-26T14:18:09.788436+010020456181A Network Trojan was detected192.168.2.84977382.29.67.160443TCP
                    2025-03-26T14:18:13.823709+010020456181A Network Trojan was detected192.168.2.84977782.29.67.160443TCP
                    2025-03-26T14:18:17.862626+010020456181A Network Trojan was detected192.168.2.84978082.29.67.160443TCP
                    2025-03-26T14:18:21.866625+010020456181A Network Trojan was detected192.168.2.84978182.29.67.160443TCP
                    2025-03-26T14:18:25.905975+010020456181A Network Trojan was detected192.168.2.84978282.29.67.160443TCP
                    2025-03-26T14:18:29.929133+010020456181A Network Trojan was detected192.168.2.84978382.29.67.160443TCP
                    2025-03-26T14:18:33.961100+010020456181A Network Trojan was detected192.168.2.84978482.29.67.160443TCP
                    2025-03-26T14:18:37.679416+010020456181A Network Trojan was detected192.168.2.84978682.29.67.160443TCP
                    2025-03-26T14:18:41.117301+010020456181A Network Trojan was detected192.168.2.84978782.29.67.160443TCP
                    2025-03-26T14:18:44.321750+010020456181A Network Trojan was detected192.168.2.84978882.29.67.160443TCP
                    2025-03-26T14:18:47.319923+010020456181A Network Trojan was detected192.168.2.84978982.29.67.160443TCP
                    2025-03-26T14:18:50.116689+010020456181A Network Trojan was detected192.168.2.84979082.29.67.160443TCP
                    2025-03-26T14:18:52.731584+010020456181A Network Trojan was detected192.168.2.84979182.29.67.160443TCP
                    2025-03-26T14:18:55.164607+010020456181A Network Trojan was detected192.168.2.84979282.29.67.160443TCP
                    2025-03-26T14:18:57.476250+010020456181A Network Trojan was detected192.168.2.84979382.29.67.160443TCP
                    2025-03-26T14:18:59.663449+010020456181A Network Trojan was detected192.168.2.84979482.29.67.160443TCP
                    2025-03-26T14:19:01.710495+010020456181A Network Trojan was detected192.168.2.84979582.29.67.160443TCP
                    2025-03-26T14:19:03.679744+010020456181A Network Trojan was detected192.168.2.84979682.29.67.160443TCP
                    2025-03-26T14:19:05.554239+010020456181A Network Trojan was detected192.168.2.84979782.29.67.160443TCP
                    2025-03-26T14:19:07.319963+010020456181A Network Trojan was detected192.168.2.84979882.29.67.160443TCP
                    2025-03-26T14:19:09.022951+010020456181A Network Trojan was detected192.168.2.84979982.29.67.160443TCP
                    2025-03-26T14:19:10.663661+010020456181A Network Trojan was detected192.168.2.84980082.29.67.160443TCP
                    2025-03-26T14:19:12.242498+010020456181A Network Trojan was detected192.168.2.84980182.29.67.160443TCP
                    2025-03-26T14:19:13.758661+010020456181A Network Trojan was detected192.168.2.84980282.29.67.160443TCP
                    2025-03-26T14:19:15.226182+010020456181A Network Trojan was detected192.168.2.84980382.29.67.160443TCP
                    2025-03-26T14:19:16.633324+010020456181A Network Trojan was detected192.168.2.84980482.29.67.160443TCP
                    2025-03-26T14:19:18.007274+010020456181A Network Trojan was detected192.168.2.84980582.29.67.160443TCP
                    2025-03-26T14:19:19.351559+010020456181A Network Trojan was detected192.168.2.84980682.29.67.160443TCP
                    2025-03-26T14:19:20.663886+010020456181A Network Trojan was detected192.168.2.84980782.29.67.160443TCP
                    2025-03-26T14:19:21.945870+010020456181A Network Trojan was detected192.168.2.84980882.29.67.160443TCP
                    2025-03-26T14:19:23.195083+010020456181A Network Trojan was detected192.168.2.84980982.29.67.160443TCP
                    2025-03-26T14:19:24.462194+010020456181A Network Trojan was detected192.168.2.84981082.29.67.160443TCP
                    2025-03-26T14:19:25.663423+010020456181A Network Trojan was detected192.168.2.84981182.29.67.160443TCP
                    2025-03-26T14:19:26.851732+010020456181A Network Trojan was detected192.168.2.84981282.29.67.160443TCP
                    2025-03-26T14:19:28.038641+010020456181A Network Trojan was detected192.168.2.84981382.29.67.160443TCP
                    2025-03-26T14:19:29.210522+010020456181A Network Trojan was detected192.168.2.84981482.29.67.160443TCP
                    2025-03-26T14:19:30.474126+010020456181A Network Trojan was detected192.168.2.84981582.29.67.160443TCP
                    2025-03-26T14:19:31.585981+010020456181A Network Trojan was detected192.168.2.84981682.29.67.160443TCP
                    2025-03-26T14:19:32.710687+010020456181A Network Trojan was detected192.168.2.84981782.29.67.160443TCP
                    2025-03-26T14:19:33.835620+010020456181A Network Trojan was detected192.168.2.84981882.29.67.160443TCP
                    2025-03-26T14:19:34.945191+010020456181A Network Trojan was detected192.168.2.84981982.29.67.160443TCP
                    2025-03-26T14:19:36.036777+010020456181A Network Trojan was detected192.168.2.84982082.29.67.160443TCP
                    2025-03-26T14:19:37.101406+010020456181A Network Trojan was detected192.168.2.84982182.29.67.160443TCP
                    2025-03-26T14:19:38.163688+010020456181A Network Trojan was detected192.168.2.84982282.29.67.160443TCP
                    2025-03-26T14:19:39.278678+010020456181A Network Trojan was detected192.168.2.84982382.29.67.160443TCP
                    2025-03-26T14:19:40.351191+010020456181A Network Trojan was detected192.168.2.84982482.29.67.160443TCP
                    2025-03-26T14:19:41.414012+010020456181A Network Trojan was detected192.168.2.84982582.29.67.160443TCP
                    2025-03-26T14:19:42.476082+010020456181A Network Trojan was detected192.168.2.84982682.29.67.160443TCP
                    2025-03-26T14:19:43.538705+010020456181A Network Trojan was detected192.168.2.84982782.29.67.160443TCP
                    2025-03-26T14:19:44.585717+010020456181A Network Trojan was detected192.168.2.84982882.29.67.160443TCP
                    2025-03-26T14:19:45.616930+010020456181A Network Trojan was detected192.168.2.84982982.29.67.160443TCP
                    2025-03-26T14:19:46.648894+010020456181A Network Trojan was detected192.168.2.84983082.29.67.160443TCP
                    2025-03-26T14:19:47.679076+010020456181A Network Trojan was detected192.168.2.84983182.29.67.160443TCP
                    2025-03-26T14:19:48.726979+010020456181A Network Trojan was detected192.168.2.84983282.29.67.160443TCP
                    2025-03-26T14:19:49.773059+010020456181A Network Trojan was detected192.168.2.84983382.29.67.160443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: file.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://107.174.192.179/data/003Avira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeAvira: detection malicious, Label: TR/Crypt.Agent.xduco
                    Found malware configuration
                    Source: 5.2.svchost.exe.24de6f70000.0.unpackMalware Configuration Extractor: DarkVision Rat {"C2": "82.29.67.160", "Port": 443}
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeReversingLabs: Detection: 47%
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeReversingLabs: Detection: 45%
                    Source: C:\Windows\Temp\Jqrd3_6076.sysReversingLabs: Detection: 33%
                    Multi AV Scanner detection for submitted file
                    Source: file.exeVirustotal: Detection: 54%Perma Link
                    Source: file.exeReversingLabs: Detection: 63%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleNeural Call Log Analysis: 100.0%
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040516A _memset,CryptBinaryToStringW,CryptBinaryToStringW,_memset,__snwprintf,LocalFree,WaitForSingleObject,RtlExitUserThread,_memset,_memset,_memset,_memset,__snwprintf,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,0_2_0040516A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CFE0 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,0_2_0041CFE0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8DD8F CryptReleaseContext,CryptDestroyHash,5_2_0000024DE6F8DD8F
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8DD5A CryptReleaseContext,CryptDestroyHash,5_2_0000024DE6F8DD5A
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8DD1E CryptReleaseContext,CryptDestroyHash,5_2_0000024DE6F8DD1E
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8DCF7 CryptReleaseContext,CryptDestroyHash,5_2_0000024DE6F8DCF7
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8DC00 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,5_2_0000024DE6F8DC00
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F753B0 LocalAlloc,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,CryptBinaryToStringW,CryptBinaryToStringW,lstrcpyW,LocalFree,WaitForSingleObject,RtlExitUserThread,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,5_2_0000024DE6F753B0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008582FC malloc,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,free,9_2_008582FC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089F018 CryptDestroyHash,9_2_0089F018
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089F028 CryptGenRandom,9_2_0089F028
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089F078 CryptReleaseContext,VirtualAlloc,9_2_0089F078
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008471E8 CryptAcquireContextA,CryptCreateHash,9_2_008471E8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008471EA CryptAcquireContextA,CryptCreateHash,9_2_008471EA
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00847244 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_00847244
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0084E4C4 CryptAcquireContextA,CryptCreateHash,9_2_0084E4C4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00858478 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,9_2_00858478
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0084E510 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_0084E510
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: -----BEGIN PUBLIC KEY-----9_2_0085F214
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: -----BEGIN PUBLIC KEY-----9_2_00833268
                    Source: tzutil.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 5.2.svchost.exe.24de6f70000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.92bfe8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.92bfe8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.965877867.0000000000926000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2199674916.0000024DE6FA8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.964219117.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6440, type: MEMORYSTR
                    Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.8.202:443 -> 192.168.2.8:49685 version: TLS 1.2
                    Source: Binary string: _prod.pdb source: w32tm.exe, 0000000C.00000002.1190354273.000000000044C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: GAEECDBE0A5831\ntkrnlmp.pdb[ source: w32tm.exe, 0000000C.00000002.1190354273.000000000044C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBw source: w32tm.exe, 0000000C.00000002.1190354273.000000000044C000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410AA0 _memset,_memset,SHGetKnownFolderPath,__snwprintf,__snwprintf,CoTaskMemFree,_memset,__snwprintf,FindFirstFileW,_memset,__snwprintf,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,0_2_00410AA0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F797F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,5_2_0000024DE6F797F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008735CC FindFirstFileA,FindNextFileA,FindClose,9_2_008735CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00891C54 __doserrno,_errno,_errno,__doserrno,FindFirstFileA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,9_2_00891C54

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49684 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49686 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49721 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49693 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49742 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49777 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49782 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49781 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49786 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49788 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49789 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49793 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49794 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49790 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49791 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49799 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49801 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49780 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49796 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49807 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49810 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49808 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49818 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49820 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49805 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49806 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49825 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49828 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49832 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49800 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49792 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49824 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49797 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49804 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49811 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49831 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49814 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49815 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49833 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49787 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49809 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49826 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49816 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49819 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49829 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49773 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49803 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49827 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49830 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49823 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49798 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49817 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49813 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49822 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49783 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49795 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49784 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49812 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49821 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.8:49802 -> 82.29.67.160:443
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 82.29.67.160
                    Creates HTML files with .exe extension (expired dropper behavior)
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeFile created: 646f53b2.exe.12.dr
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Wed, 26 Mar 2025 13:17:46 GMTContent-Type: application/octet-streamContent-Length: 1995776Last-Modified: Wed, 26 Mar 2025 01:54:07 GMTConnection: keep-aliveETag: "67e35e3f-1e7400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 14 fa ce 67 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 09 00 00 ba 00 00 00 08 19 00 00 00 00 00 37 92 2a 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 43 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 09 28 00 3c 00 00 00 00 e0 43 00 a0 0a 00 00 80 a0 43 00 90 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 25 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c2 b9 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 2a 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 ba 18 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c8 07 00 00 00 c0 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 61 30 00 00 00 00 00 00 7b 8a 0b 00 00 d0 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 61 31 00 00 00 00 00 00 50 00 00 00 00 60 25 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 61 32 00 00 00 00 00 00 10 61 1e 00 00 70 25 00 00 62 1e 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 a0 0a 00 00 00 e0 43 00 00 0c 00 00 00 68 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Wed, 26 Mar 2025 13:17:55 GMTContent-Type: application/octet-streamContent-Length: 1400832Last-Modified: Sat, 22 Mar 2025 01:09:32 GMTConnection: keep-aliveETag: "67de0dcc-156000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 bc 0b de 67 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 09 00 00 3a 07 00 00 ca 01 00 00 00 00 00 41 3f 2a 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 2b 00 00 04 00 00 5f c9 15 00 02 00 00 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 b9 24 00 a0 00 00 00 00 c0 2b 00 b2 01 00 00 a0 4f 2b 00 bc 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 16 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f5 38 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 52 01 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 64 6d 00 00 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 f4 3e 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 73 30 30 00 00 00 00 00 68 ee 0c 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 73 30 31 00 00 00 00 00 a0 00 00 00 00 50 16 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 30 32 00 00 00 00 00 5c 57 15 00 00 60 16 00 00 58 15 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 b2 01 00 00 00 c0 2b 00 00 02 00 00 00 5e 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: Joe Sandbox ViewIP Address: 4.28.136.57 4.28.136.57
                    Source: Joe Sandbox ViewIP Address: 104.26.8.202 104.26.8.202
                    Source: Joe Sandbox ViewIP Address: 107.174.192.179 107.174.192.179
                    Source: Joe Sandbox ViewASN Name: NTLGB NTLGB
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49685 -> 104.26.8.202:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49687 -> 104.26.8.202:443
                    Source: global trafficHTTP traffic detected: GET /ZATFQO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.link
                    Source: global trafficHTTP traffic detected: GET /images/pixel.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.linkCookie: g_session=eyJpdiI6InJLNm9BZmdmY1c3RUpGMkorb2h5YXc9PSIsInZhbHVlIjoiQ0UzeHdQU0RReEFXeVREdGxYRkdmZ0puL2NuTjFIWWxjanF5NlRLeXk4VGc3TnF3T3BhVUVsbExEcjBvRk1rU0MzSnZ5QktPem5iY0ZmZ3RWaGlLcWE4UTQyZnA5WXMxTzZOOEhiZFZsalNpUDU1SElPUER5SGcwblJHRk16RDYiLCJtYWMiOiJiMDAxNzYxYjBkNjA5YmE2MDkxMGYyNmJjNTMyNWE5Yzg2ZDg4NjkwZDZhOTVlOWUzZTFjMzFhZWI5OWU2ZjM2IiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6IlgxMEtFSnRBU3VFN21POG84d1psN3c9PSIsInZhbHVlIjoiOXVpSWpIWFJpbUQ2OWQwamwvRXJodkxKU1BFYjJTN1gxZVBZMUR4RXlxUSszclc2NVJuT2xiK3lLdVVwSThLaUp3SmphVGU4aWUxKzJROWpodVNLNmgvSXY3UzVzbHNucFBLTWdkMTZkVy9pK1NjM1RGZXJDRjlzU3NxSStiZXUiLCJtYWMiOiI4Mjk3MTIzY2Y0YjU3MzVmOTg2ZjdkNjRlNDhiOWFkZjdkOWNiOWJjNjYwZWY1MzM2ZGEwMDEzZWM2NWE2ODk3IiwidGFnIjoiIn0%3D
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /data/003 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: GET /clean HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: HEAD /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1179647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1179648-1310719User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1310720-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-1966079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1966080-2228223User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2228224-2490367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2490368-2752511User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2752512-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-4063231User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4063232-4587519User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4587520-5111807User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5111808-5373951User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5373952-5606383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F934A0 recv,5_2_0000024DE6F934A0
                    Source: global trafficHTTP traffic detected: GET /ZATFQO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.link
                    Source: global trafficHTTP traffic detected: GET /images/pixel.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.linkCookie: g_session=eyJpdiI6InJLNm9BZmdmY1c3RUpGMkorb2h5YXc9PSIsInZhbHVlIjoiQ0UzeHdQU0RReEFXeVREdGxYRkdmZ0puL2NuTjFIWWxjanF5NlRLeXk4VGc3TnF3T3BhVUVsbExEcjBvRk1rU0MzSnZ5QktPem5iY0ZmZ3RWaGlLcWE4UTQyZnA5WXMxTzZOOEhiZFZsalNpUDU1SElPUER5SGcwblJHRk16RDYiLCJtYWMiOiJiMDAxNzYxYjBkNjA5YmE2MDkxMGYyNmJjNTMyNWE5Yzg2ZDg4NjkwZDZhOTVlOWUzZTFjMzFhZWI5OWU2ZjM2IiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6IlgxMEtFSnRBU3VFN21POG84d1psN3c9PSIsInZhbHVlIjoiOXVpSWpIWFJpbUQ2OWQwamwvRXJodkxKU1BFYjJTN1gxZVBZMUR4RXlxUSszclc2NVJuT2xiK3lLdVVwSThLaUp3SmphVGU4aWUxKzJROWpodVNLNmgvSXY3UzVzbHNucFBLTWdkMTZkVy9pK1NjM1RGZXJDRjlzU3NxSStiZXUiLCJtYWMiOiI4Mjk3MTIzY2Y0YjU3MzVmOTg2ZjdkNjRlNDhiOWFkZjdkOWNiOWJjNjYwZWY1MzM2ZGEwMDEzZWM2NWE2ODk3IiwidGFnIjoiIn0%3D
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /data/003 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: GET /clean HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1179647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1179648-1310719User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1310720-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-1966079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1966080-2228223User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2228224-2490367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2490368-2752511User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2752512-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-4063231User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4063232-4587519User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4587520-5111807User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5111808-5373951User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5373952-5606383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficDNS traffic detected: DNS query: grabify.link
                    Source: global trafficDNS traffic detected: DNS query: devbuilds.s.kaspersky-labs.com
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 26 Mar 2025 13:18:04 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467e3fe8c7516db36b0620890; domain=.kaspersky-labs.com; path=/; expires=Thu, 26-Mar-2026 13:18:04 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 26 Mar 2025 13:18:04 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467e3fe8c7516db28b063bdc2; domain=.kaspersky-labs.com; path=/; expires=Thu, 26-Mar-2026 13:18:04 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 26 Mar 2025 13:18:04 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467e3fe8c7516db2ab05fee99; domain=.kaspersky-labs.com; path=/; expires=Thu, 26-Mar-2026 13:18:04 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 26 Mar 2025 13:18:06 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467e3fe8e7516db2cb06a8e72; domain=.kaspersky-labs.com; path=/; expires=Thu, 26-Mar-2026 13:18:06 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 26 Mar 2025 13:18:06 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467e3fe8e7516db30b0697bb4; domain=.kaspersky-labs.com; path=/; expires=Thu, 26-Mar-2026 13:18:06 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 26 Mar 2025 13:18:06 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467e3fe8e7516db32b05feaaf; domain=.kaspersky-labs.com; path=/; expires=Thu, 26-Mar-2026 13:18:06 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 26 Mar 2025 13:18:07 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467e3fe8f7516db34b066b89f; domain=.kaspersky-labs.com; path=/; expires=Thu, 26-Mar-2026 13:18:07 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 26 Mar 2025 13:18:07 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467e3fe8f7516db36b062253a; domain=.kaspersky-labs.com; path=/; expires=Thu, 26-Mar-2026 13:18:07 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 26 Mar 2025 13:18:08 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467e3fe907516db28b0640a6a; domain=.kaspersky-labs.com; path=/; expires=Thu, 26-Mar-2026 13:18:08 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 26 Mar 2025 13:18:09 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467e3fe917516db2ab06058dc; domain=.kaspersky-labs.com; path=/; expires=Thu, 26-Mar-2026 13:18:09 GMT; HttpOnly
                    Source: tzutil.exe, 00000009.00000002.1170573461.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1170460700.00000000024A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1
                    Source: tzutil.exe, 00000009.00000002.1170573461.00000000027F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d14
                    Source: tzutil.exe, 00000009.00000002.1170573461.00000000027F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1;ON
                    Source: tzutil.exe, 00000009.00000002.1170460700.00000000024A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1GPROFILE
                    Source: tzutil.exe, 00000009.00000002.1170573461.00000000027F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1gOb
                    Source: tzutil.exe, 00000009.00000002.1170573461.00000000027F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1vOs
                    Source: file.exe, 00000000.00000002.964241368.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000005.00000002.2200928233.0000024DE70E1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2199714922.0000024DE6FCF000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2200456500.0000024DE7072000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2199714922.0000024DE6FD3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://107.174.192.179/clean
                    Source: file.exe, 00000000.00000002.964241368.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000005.00000002.2200928233.0000024DE70E1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2199714922.0000024DE6FCF000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2200456500.0000024DE7072000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2199714922.0000024DE6FD3000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2199019402.000000E0650F6000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.174.192.179/data/003
                    Source: svchost.exe, 00000005.00000002.2200928233.0000024DE70E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: tzutil.exe, 00000009.00000003.1157387592.0000000002E57000.00000004.00000020.00020000.00000000.sdmp, Jqrd3_6076.sys.9.drString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
                    Source: svchost.exe, 00000011.00000002.2202095523.000001D977200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: tzutil.exe, 00000009.00000003.1157387592.0000000002E57000.00000004.00000020.00020000.00000000.sdmp, Jqrd3_6076.sys.9.drString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
                    Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                    Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                    Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                    Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                    Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                    Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                    Source: qmgr.db.17.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: powershell.exe, 0000000D.00000002.1172454135.00000227AEEA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1265333795.0000026298A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: tzutil.exe, 00000009.00000003.1157387592.0000000002E57000.00000004.00000020.00020000.00000000.sdmp, Jqrd3_6076.sys.9.drString found in binary or memory: http://ocsp.thawte.com0
                    Source: powershell.exe, 0000000F.00000002.1197954792.0000026288C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 0000000D.00000002.1139770082.000002279F057000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1197954792.0000026288C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 0000000D.00000002.1139770082.000002279EE31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1197954792.00000262889E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000000D.00000002.1139770082.000002279F057000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1197954792.0000026288C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000F.00000002.1197954792.0000026288C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000000F.00000002.1282034667.00000262A14AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                    Source: powershell.exe, 0000000D.00000002.1190853826.00000227B75F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 0000000D.00000002.1139770082.000002279EE31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1197954792.00000262889E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000F.00000002.1265333795.0000026298A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000F.00000002.1265333795.0000026298A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000F.00000002.1265333795.0000026298A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: tzutil.exe, tzutil.exe, 00000009.00000002.1169909218.0000000000820000.00000040.00000001.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1170887352.0000000140010000.00000004.00000001.01000000.00000005.sdmp, w32tm.exe, w32tm.exe, 0000000C.00000002.1192030766.0000000140075000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                    Source: tzutil.exe, w32tm.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
                    Source: w32tm.exe, 0000000C.00000003.1189168658.0000000002182000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000002.1191378918.0000000002182000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1183444636.0000000002182000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-l
                    Source: w32tm.exe, 0000000C.00000003.1189168658.0000000002182000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000002.1191378918.0000000002182000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-l.exe
                    Source: w32tm.exe, 0000000C.00000003.1162765222.00000000020F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/d
                    Source: w32tm.exe, 0000000C.00000003.1183394286.00000000020F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/fu
                    Source: w32tm.exe, 0000000C.00000002.1192030766.0000000140075000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe
                    Source: w32tm.exe, 0000000C.00000003.1167416536.0000000002181000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe#
                    Source: w32tm.exe, 0000000C.00000003.1177345239.0000000002181000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exeindows
                    Source: w32tm.exe, 0000000C.00000003.1183444636.0000000002182000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-lscor
                    Source: edb.log.17.dr, qmgr.db.17.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                    Source: svchost.exe, 00000011.00000003.1203008663.000001D977060000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.dr, qmgr.db.17.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
                    Source: powershell.exe, 0000000F.00000002.1197954792.0000026288C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: tzutil.exe, 00000009.00000003.1162647261.000000000282C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/U7WLGD
                    Source: tzutil.exe, 00000009.00000002.1170771409.000000000282C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/U7WLGDCC
                    Source: file.exe, 00000000.00000002.964241368.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000005.00000002.2200928233.0000024DE70E1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2199714922.0000024DE6FCF000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2200456500.0000024DE7072000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2199714922.0000024DE6FD3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/ZATFQO
                    Source: svchost.exe, 00000005.00000002.2200456500.0000024DE7072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/ZATFQO8
                    Source: svchost.exe, 00000005.00000002.2200928233.0000024DE70E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/images/pixe
                    Source: svchost.exe, 00000005.00000002.2200928233.0000024DE70E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/images/pixel.png
                    Source: svchost.exe, 00000005.00000002.2200928233.0000024DE70E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/images/pixel.pngLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedExp
                    Source: powershell.exe, 0000000D.00000002.1172454135.00000227AEEA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1265333795.0000026298A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                    Source: unknownHTTPS traffic detected: 104.26.8.202:443 -> 192.168.2.8:49685 version: TLS 1.2
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F82310 WaitForSingleObject,RtlExitUserThread,GetAsyncKeyState,Sleep,OpenEventW,SetEvent,CloseHandle,RtlExitUserThread,5_2_0000024DE6F82310

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.2.svchost.exe.24de6f70000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.file.exe.92bfe8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.file.exe.92bfe8.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F80740 CreateProcessW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,LoadLibraryW,GetProcAddress,GetProcAddress,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,CreateEventW,RtlCreateUserThread,WaitForSingleObject,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,5_2_0000024DE6F80740
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F811A4 CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,5_2_0000024DE6F811A4
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F77940 GetCurrentProcess,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetThreadContext,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,TerminateProcess,5_2_0000024DE6F77940
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00825D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,9_2_00825D7C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00825D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,9_2_00825D7C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\Jqrd3_6076.sysJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile deleted: C:\Windows\Temp\Jqrd3_6076.sysJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E1C80_2_0040E1C8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004258F70_2_004258F7
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F77EF05_2_0000024DE6F77EF0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F710005_2_0000024DE6F71000
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F74DA05_2_0000024DE6F74DA0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F89D205_2_0000024DE6F89D20
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F95E505_2_0000024DE6F95E50
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8D6005_2_0000024DE6F8D600
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F923405_2_0000024DE6F92340
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F927905_2_0000024DE6F92790
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F807405_2_0000024DE6F80740
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6FA67085_2_0000024DE6FA6708
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8D0305_2_0000024DE6F8D030
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8AD505_2_0000024DE6F8AD50
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F99D1C5_2_0000024DE6F99D1C
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8A5105_2_0000024DE6F8A510
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8C5015_2_0000024DE6F8C501
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F826905_2_0000024DE6F82690
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F7DE205_2_0000024DE6F7DE20
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6FA3B2C5_2_0000024DE6FA3B2C
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F812B05_2_0000024DE6F812B0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8C4805_2_0000024DE6F8C480
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6FA5C5C5_2_0000024DE6FA5C5C
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F9CC2C5_2_0000024DE6F9CC2C
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6FA53F85_2_0000024DE6FA53F8
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F7CBF05_2_0000024DE6F7CBF0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F923B65_2_0000024DE6F923B6
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F9F9645_2_0000024DE6F9F964
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F779405_2_0000024DE6F77940
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F7A8C05_2_0000024DE6F7A8C0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F7E8C05_2_0000024DE6F7E8C0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F7B8B05_2_0000024DE6F7B8B0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F9E9BC5_2_0000024DE6F9E9BC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00825D7C9_2_00825D7C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0096B0B19_2_0096B0B1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009910B29_2_009910B2
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009210D09_2_009210D0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008220C09_2_008220C0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008900D89_2_008900D8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008730209_2_00873020
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0099002D9_2_0099002D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009490209_2_00949020
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0083104C9_2_0083104C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0096D0409_2_0096D040
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0086C06C9_2_0086C06C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008670749_2_00867074
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0097919B9_2_0097919B
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0099A1969_2_0099A196
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008921989_2_00892198
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0098C1D49_2_0098C1D4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008211CC9_2_008211CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0083C1D09_2_0083C1D0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0095B1F29_2_0095B1F2
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008711F09_2_008711F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009311139_2_00931113
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0097C1179_2_0097C117
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0091C1189_2_0091C118
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0095611E9_2_0095611E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008621189_2_00862118
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0097613B9_2_0097613B
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0096C1259_2_0096C125
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0083D1489_2_0083D148
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008761709_2_00876170
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0095B2949_2_0095B294
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0086D2949_2_0086D294
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008792B89_2_008792B8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0091C2DB9_2_0091C2DB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008942D89_2_008942D8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008922DC9_2_008922DC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0091A2CC9_2_0091A2CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0095F2F09_2_0095F2F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0087E2249_2_0087E224
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0085923C9_2_0085923C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0097A2529_2_0097A252
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0091538A9_2_0091538A
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0087E39C9_2_0087E39C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008653989_2_00865398
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009743B59_2_009743B5
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0095E3D59_2_0095E3D5
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008FF3149_2_008FF314
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092A32A9_2_0092A32A
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089A3589_2_0089A358
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0097F3779_2_0097F377
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008394A49_2_008394A4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008984BC9_2_008984BC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009334AD9_2_009334AD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009204AC9_2_009204AC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0097D4DD9_2_0097D4DD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009014F19_2_009014F1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092F4FA9_2_0092F4FA
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0084B4FC9_2_0084B4FC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0087E4F89_2_0087E4F8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008214009_2_00821400
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0099544E9_2_0099544E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0086F4589_2_0086F458
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0099747D9_2_0099747D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0093047E9_2_0093047E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009355BB9_2_009355BB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008935B09_2_008935B0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009465AD9_2_009465AD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009455AE9_2_009455AE
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0098C5C79_2_0098C5C7
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008645E09_2_008645E0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009365FB9_2_009365FB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008435F49_2_008435F4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009955E29_2_009955E2
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0095752C9_2_0095752C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008FC5489_2_008FC548
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0099E5449_2_0099E544
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008685709_2_00868570
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009096B19_2_009096B1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008926A09_2_008926A0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089C6A09_2_0089C6A0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008846B49_2_008846B4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0098E6CB9_2_0098E6CB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009416FA9_2_009416FA
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009586E49_2_009586E4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0090F6ED9_2_0090F6ED
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009566069_2_00956606
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0090B6289_2_0090B628
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0099A6769_2_0099A676
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0090966A9_2_0090966A
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0087178C9_2_0087178C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008727B49_2_008727B4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008FE7139_2_008FE713
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0085876C9_2_0085876C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008468C49_2_008468C4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0093C8DB9_2_0093C8DB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0091B8DE9_2_0091B8DE
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008218EC9_2_008218EC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088D80C9_2_0088D80C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008928209_2_00892820
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008878349_2_00887834
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088284C9_2_0088284C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008968789_2_00896878
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0084F8709_2_0084F870
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008998709_2_00899870
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008939849_2_00893984
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009689CB9_2_009689CB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009019189_2_00901918
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092D90D9_2_0092D90D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008619409_2_00861940
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00835AB09_2_00835AB0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00863AB09_2_00863AB0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00856ABC9_2_00856ABC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00969AAB9_2_00969AAB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00902AEB9_2_00902AEB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00890AF49_2_00890AF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00861AF89_2_00861AF8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00911A119_2_00911A11
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00895A589_2_00895A58
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00919A449_2_00919A44
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00887A509_2_00887A50
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0096BA769_2_0096BA76
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00858A649_2_00858A64
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0082BA609_2_0082BA60
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00891A749_2_00891A74
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00912B919_2_00912B91
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00935BB79_2_00935BB7
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0095FBB39_2_0095FBB3
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008FFBB09_2_008FFBB0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00913BF19_2_00913BF1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00829BF49_2_00829BF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089DB309_2_0089DB30
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00929B2E9_2_00929B2E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092FB5C9_2_0092FB5C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088DCAC9_2_0088DCAC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00887CB89_2_00887CB8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00898CBC9_2_00898CBC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00985CDB9_2_00985CDB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00872CC89_2_00872CC8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00871CF09_2_00871CF0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0087AC089_2_0087AC08
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00984C3C9_2_00984C3C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00954C589_2_00954C58
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00888C789_2_00888C78
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00855D849_2_00855D84
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00897D809_2_00897D80
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0082ED889_2_0082ED88
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00974D8E9_2_00974D8E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0099DDBB9_2_0099DDBB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00997D0B9_2_00997D0B
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00937D019_2_00937D01
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0093CD5D9_2_0093CD5D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0090DD7E9_2_0090DD7E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00824E809_2_00824E80
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00852EAC9_2_00852EAC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092BED09_2_0092BED0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00946EC49_2_00946EC4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00957EC79_2_00957EC7
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00882EDC9_2_00882EDC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00951ECB9_2_00951ECB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00828EE49_2_00828EE4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088CEF49_2_0088CEF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0095DE1F9_2_0095DE1F
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00920E669_2_00920E66
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089CF9C9_2_0089CF9C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00947FDD9_2_00947FDD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00899FF49_2_00899FF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0083EF089_2_0083EF08
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00910F3C9_2_00910F3C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00841F509_2_00841F50
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00836F589_2_00836F58
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092CF659_2_0092CF65
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014000116412_2_0000000140001164
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014005EFEC12_2_000000014005EFEC
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014001D02012_2_000000014001D020
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400638E412_2_00000001400638E4
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014001292412_2_0000000140012924
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014006016412_2_0000000140060164
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400021BC12_2_00000001400021BC
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014000C20C12_2_000000014000C20C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_0000000140021C5812_2_0000000140021C58
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400614CC12_2_00000001400614CC
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400054E412_2_00000001400054E4
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014001565C12_2_000000014001565C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014006577C12_2_000000014006577C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_0000000140061FDC12_2_0000000140061FDC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF936772E1113_2_00007FF936772E11
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe 4F0B2C61BCCFD9AA3DB301EE4E15607DF41DED533757DE34C986A0FF25B6246D
                    Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\Jqrd3_6076.sys C37BF1ABC0662B4F18607E2D7B75F5C600E45EA5604DAFFA54674E2AEBDCE9F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess token adjusted: Load DriverJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: String function: 0000000140011D54 appears 41 times
                    Source: C:\Windows\System32\svchost.exeCode function: String function: 0000024DE6F984A8 appears 48 times
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: String function: 0083B600 appears 74 times
                    Source: file.exe, 00000000.00000000.955674784.0000000000686000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFONTVIEW.EXEj% vs file.exe
                    Source: file.exeBinary or memory string: OriginalFilenameFONTVIEW.EXEj% vs file.exe
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\WM32wKc2_6076Jump to behavior
                    Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 5.2.svchost.exe.24de6f70000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.file.exe.92bfe8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.file.exe.92bfe8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: file.exeStatic PE information: Section: z2 ZLIB complexity 0.9914302453131233
                    Source: Jqrd3_6076.sys.9.drBinary string: \Device\Udp6\Device\Udp\Device\Tcp6\Device\Tcp
                    Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@23/23@2/6
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00825D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,9_2_00825D7C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089F038 AdjustTokenPrivileges,VirtualAlloc,9_2_0089F038
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004043D0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DE90 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0041DE90
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\{3FA0BA37-09C6-4551-AE7D-90F1279DF03F}
                    Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\{332F5D59-2BCB-4D58-B258-019647CFE541}
                    Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\{3309A6B4-2F09-4BC8-A971-5D5A3B1B34EE}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3984:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\{BECD724E-BB45-47CB-82D8-31731BA1EB16}
                    Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{213CD3BF-7EA5-4F3F-A371-F1D075B5EB25}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfrmbmwa.fwr.ps1Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: file.exeVirustotal: Detection: 54%
                    Source: file.exeReversingLabs: Detection: 63%
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: file.exeStatic file information: File size 1367040 > 1048576
                    Source: file.exeStatic PE information: Raw size of z2 is bigger than: 0x100000 < 0x139600
                    Source: Binary string: _prod.pdb source: w32tm.exe, 0000000C.00000002.1190354273.000000000044C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: GAEECDBE0A5831\ntkrnlmp.pdb[ source: w32tm.exe, 0000000C.00000002.1190354273.000000000044C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBw source: w32tm.exe, 0000000C.00000002.1190354273.000000000044C000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F88830 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,5_2_0000024DE6F88830
                    Source: initial sampleStatic PE information: section where entry point is pointing to: z2
                    Source: file.exeStatic PE information: section name: z0
                    Source: file.exeStatic PE information: section name: z1
                    Source: file.exeStatic PE information: section name: z2
                    Source: tzutil.exe.5.drStatic PE information: section name: a0
                    Source: tzutil.exe.5.drStatic PE information: section name: a1
                    Source: tzutil.exe.5.drStatic PE information: section name: a2
                    Source: w32tm.exe.5.drStatic PE information: section name: s00
                    Source: w32tm.exe.5.drStatic PE information: section name: s01
                    Source: w32tm.exe.5.drStatic PE information: section name: s02
                    Source: Jqrd3_6076.sys.9.drStatic PE information: section name: vs0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049B3CD push ecx; ret 0_2_0049B3E0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005173ED push edi; ret 0_2_00517422
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004075BB push ecx; retf 0000h0_2_004075BC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00530D71 push esp; ret 0_2_00530D92
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EED75 push B84DD845h; retf 0_2_004EEDA0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008A86EA push rax; ret 9_2_008A8701
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008A8748 push rax; retn 008Ah9_2_008A8759
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00822D40 push rcx; iretd 9_2_00822D43
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008A7E82 push rax; retn 008Ah9_2_008A7E89
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400136B7 push rsp; iretd 12_2_00000001400136B8
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400136D2 push rsp; iretd 12_2_00000001400136D3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF93658D2A5 pushad ; iretd 13_2_00007FF93658D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF9366A00BD pushad ; iretd 13_2_00007FF9366A00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF936772316 push 8B485F94h; iretd 13_2_00007FF93677231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FF9365AD2A5 pushad ; iretd 15_2_00007FF9365AD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FF9366C00BD pushad ; iretd 15_2_00007FF9366C00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FF936792316 push 8B485F92h; iretd 15_2_00007FF93679231B
                    Source: file.exeStatic PE information: section name: z2 entropy: 7.986156524412056
                    Source: tzutil.exe.5.drStatic PE information: section name: a2 entropy: 7.993062164690057
                    Source: w32tm.exe.5.drStatic PE information: section name: s02 entropy: 7.959351043402205
                    Source: Jqrd3_6076.sys.9.drStatic PE information: section name: .text entropy: 7.126561604240753

                    Persistence and Installation Behavior

                    barindex
                    Sample is not signed and drops a device driver
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\Jqrd3_6076.sysJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeJump to dropped file
                    Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeJump to dropped file
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\Jqrd3_6076.sysJump to dropped file
                    Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeJump to dropped file
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\Jqrd3_6076.sysJump to dropped file

                    Boot Survival

                    barindex
                    Creates autostart registry keys with suspicious names
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WM32wKc2_6076Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Deletes itself after installation
                    Source: C:\Windows\System32\svchost.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F88830 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,5_2_0000024DE6F88830
                    Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\{42F09F7D-CA44-409E-A936-E948CF4ECA66} {875376CD-1334-41AA-8A36-0C7105D31883}Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 681BB6
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 6752F3
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 66E105
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 6336DC
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 66A5B5
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 6681CF
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 563E86
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 63E81C
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 66629D
                    Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 7FF9B762E814
                    Tries to evade analysis by execution special instruction (VM detection)
                    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6639A2 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSpecial instruction interceptor: First address: 140431327 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSpecial instruction interceptor: First address: 1402AC77B instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8DE00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,5_2_0000024DE6F8DE00
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5911Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3774Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7371Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2296Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7277Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2292Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeDropped PE file which has not been started: C:\Windows\Temp\Jqrd3_6076.sysJump to dropped file
                    Source: C:\Windows\System32\svchost.exeEvaded block: after key decisiongraph_5-18244
                    Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-10237
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_9-54377
                    Source: C:\Users\user\Desktop\file.exeAPI coverage: 5.7 %
                    Source: C:\Windows\System32\svchost.exeAPI coverage: 8.4 %
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1576Thread sleep count: 5911 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2480Thread sleep count: 3774 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6564Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 4276Thread sleep count: 46 > 30Jump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 4276Thread sleep time: -138000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 3980Thread sleep time: -90000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2708Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012Thread sleep count: 7277 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620Thread sleep count: 2292 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5364Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 5960Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410AA0 _memset,_memset,SHGetKnownFolderPath,__snwprintf,__snwprintf,CoTaskMemFree,_memset,__snwprintf,FindFirstFileW,_memset,__snwprintf,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,0_2_00410AA0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F797F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,5_2_0000024DE6F797F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008735CC FindFirstFileA,FindNextFileA,FindClose,9_2_008735CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00891C54 __doserrno,_errno,_errno,__doserrno,FindFirstFileA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,9_2_00891C54
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00825BCC GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,9_2_00825BCC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: svchost.exe, 00000005.00000002.2200670079.0000024DE7098000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000011.00000002.2200875683.000001D971C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                    Source: svchost.exe, 00000005.00000002.2200670079.0000024DE7098000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2200585974.0000024DE7081000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1168057284.000000000049C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2202196709.000001D97725C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: tzutil.exe, 00000009.00000002.1168057284.000000000049C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
                    Source: svchost.exe, 00000005.00000002.2200132156.0000024DE7033000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                    Source: file.exe, 00000000.00000002.965877867.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000002.1190354273.0000000000476000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: svchost.exe, 00000005.00000002.2201215033.0000024DE9208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-10193
                    Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-10239
                    Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-10251
                    Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-10242
                    Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-10247
                    Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-10260
                    Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-10275
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F9A818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0000024DE6F9A818
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F8DE00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,5_2_0000024DE6F8DE00
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F88830 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,5_2_0000024DE6F88830
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00899204 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,9_2_00899204
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F9A818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0000024DE6F9A818
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6FA0E94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0000024DE6FA0E94
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F9C5E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0000024DE6F9C5E0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F9E5B8 SetUnhandledExceptionFilter,5_2_0000024DE6F9E5B8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088C280 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0088C280
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088C540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0088C540
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00889924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00889924
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00889B18 SetUnhandledExceptionFilter,9_2_00889B18

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Benign windows process drops PE files
                    Source: C:\Windows\System32\svchost.exeFile created: tzutil.exe.5.drJump to dropped file
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x14027B83FJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x1402698D6Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1400026B1Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x140248445Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x140298A31Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140179770Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x14029856DJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x14025B23FJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x14027C20DJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x140225E38Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x140282C5AJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x140236AB8Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x14028BBDCJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x1402412BCJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140168DD1Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x14028DE66Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x14029D239Jump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: read writeJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: read writeJump to behavior
                    Searches for specific processes (likely to inject)
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004043D0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004044A0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F742E0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,5_2_0000024DE6F742E0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F743D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,5_2_0000024DE6F743D0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F7A3B0 setsockopt,SetEvent,LocalAlloc,wnsprintfW,LocalAlloc,lstrcpyW,LocalAlloc,lstrcpyW,CoInitializeEx,ShellExecuteExW,GetLastError,CoUninitialize,LocalAlloc,wnsprintfW,CreateProcessW,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,shutdown,closesocket,5_2_0000024DE6F7A3B0
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CF50 AllocateAndInitializeSid,_memset,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,0_2_0040CF50
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D480 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0041D480
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: GetLocaleInfoA,9_2_0088E5E8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407FE0 __snwprintf,RegCreateKeyExW,RegCloseKey,_memset,GetSystemTime,SystemTimeToFileTime,0_2_00407FE0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F95AD0 LocalAlloc,LoadLibraryW,LocalFree,GetProcAddress,LocalFree,RtlGetVersion,LocalFree,GetUserGeoID,gethostname,gethostbyname,GetComputerNameExW,GetUserNameW,GetTickCount64,LocalFree,5_2_0000024DE6F95AD0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088D80C ___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,9_2_0088D80C
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000024DE6F9F6DC HeapCreate,GetVersion,HeapSetInformation,5_2_0000024DE6F9F6DC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DarkVision Rat
                    Source: Yara matchFile source: 5.2.svchost.exe.24de6f70000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.92bfe8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.965877867.0000000000926000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2199674916.0000024DE6FA8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.964219117.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6440, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected DarkVision Rat
                    Source: Yara matchFile source: 5.2.svchost.exe.24de6f70000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.92bfe8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.965877867.0000000000926000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2199674916.0000024DE6FA8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.964219117.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6440, type: MEMORYSTR
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008492C4 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,__swprintf_l,send,recv,closesocket,closesocket,closesocket,closesocket,9_2_008492C4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00838C10 htons,bind,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,9_2_00838C10

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts3
                    Native API                    		1
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		11
                    Input Capture                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		14
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution                    		2
                    LSASS Driver                    		1
                    Abuse Elevation Control Mechanism                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol11
                    Input Capture                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading                    		2
                    LSASS Driver                    		1
                    Abuse Elevation Control Mechanism                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Windows Service                    		1
                    DLL Side-Loading                    		3
                    Obfuscated Files or Information                    		NTDS235
                    System Information Discovery                    		Distributed Component Object ModelInput Capture124
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd11
                    Registry Run Keys / Startup Folder                    		1
                    Access Token Manipulation                    		2
                    Software Packing                    		LSA Secrets441
                    Security Software Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Windows Service                    		1
                    DLL Side-Loading                    		Cached Domain Credentials131
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items211
                    Process Injection                    		11
                    File Deletion                    		DCSync12
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job11
                    Registry Run Keys / Startup Folder                    		2
                    Masquerading                    		Proc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Modify Registry                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron131
                    Virtualization/Sandbox Evasion                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                    Access Token Manipulation                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task211
                    Process Injection                    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649098 Sample: file.exe Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 54 grabify.link 2->54 56 edge.geo.kaspersky.com 2->56 58 devbuilds.s.kaspersky-labs.com 2->58 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 11 other signatures 2->88 10 file.exe 3 1 2->10         started        13 svchost.exe 2->13         started        signatures3 process4 signatures5 108 Query firmware table information (likely to detect VMs) 10->108 110 Adds a directory exclusion to Windows Defender 10->110 112 Maps a DLL or memory area into another process 10->112 114 3 other signatures 10->114 15 svchost.exe 3 7 10->15         started        20 cmd.exe 1 10->20         started        process6 dnsIp7 66 82.29.67.160, 443, 49684, 49686 NTLGB United Kingdom 15->66 68 grabify.link 104.26.8.202, 443, 49685, 49687 CLOUDFLARENETUS United States 15->68 70 107.174.192.179, 49683, 80 AS-COLOCROSSINGUS United States 15->70 46 C:\Users\user\AppData\Local\...\w32tm.exe, PE32+ 15->46 dropped 48 C:\ProgramData\...\tzutil.exe, PE32+ 15->48 dropped 50 C:\Users\user\AppData\Local\Temp\...\set.bat, PNG 15->50 dropped 72 Benign windows process drops PE files 15->72 74 Creates autostart registry keys with suspicious names 15->74 76 Deletes itself after installation 15->76 78 Searches for specific processes (likely to inject) 15->78 22 tzutil.exe 7 4 15->22         started        27 w32tm.exe 6 15->27         started        29 cmd.exe 1 15->29         started        80 Adds a directory exclusion to Windows Defender 20->80 31 powershell.exe 23 20->31         started        33 conhost.exe 20->33         started        file8 signatures9 process10 dnsIp11 60 104.168.28.10, 49696, 49699, 49702 AS-COLOCROSSINGUS United States 22->60 62 127.0.0.1 unknown unknown 22->62 52 C:\Windows\Temp\Jqrd3_6076.sys, PE32+ 22->52 dropped 92 Antivirus detection for dropped file 22->92 94 Multi AV Scanner detection for dropped file 22->94 96 Query firmware table information (likely to detect VMs) 22->96 106 2 other signatures 22->106 35 powershell.exe 23 22->35         started        38 powershell.exe 23 22->38         started        64 edge.geo.kaspersky.com 4.28.136.57, 443, 49726, 49731 LEVEL3US United States 27->64 98 Creates HTML files with .exe extension (expired dropper behavior) 27->98 100 Tries to evade analysis by execution special instruction (VM detection) 27->100 102 Found direct / indirect Syscall (likely to bypass EDR) 27->102 40 conhost.exe 29->40         started        104 Loading BitLocker PowerShell Module 31->104 file12 signatures13 process14 signatures15 90 Loading BitLocker PowerShell Module 35->90 42 conhost.exe 35->42         started        44 conhost.exe 38->44         started        process16

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.