Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.14920.16794.exe

Overview

General Information

Sample name:SecuriteInfo.com.FileRepMalware.14920.16794.exe
Analysis ID:1656622
MD5:79c47af6671f89ba34da1c332b5d5035
SHA1:4169b11ea22eb798ef101e1051b55a5d51adf3c2
SHA256:6facc38b5b793b240f3a757e0e22187f3b088340ec02c87d90250c2ced4c1600
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

DarkVision Rat
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Windows Binaries Write Suspicious Extensions
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to load drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution From GUID Like Folder Names
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.FileRepMalware.14920.16794.exe (PID: 8652 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe" MD5: 79C47AF6671F89BA34DA1C332B5D5035)
    • cmd.exe (PID: 8672 cmdline: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8744 cmdline: powershell.exe Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • WmiPrvSE.exe (PID: 8904 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • svchost.exe (PID: 8708 cmdline: "C:\Windows\system32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • tzutil.exe (PID: 8412 cmdline: "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" "" MD5: 8B178D0C06A56BA05C778378F40D4F0C)
        • powershell.exe (PID: 7136 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8672 cmdline: powershell Remove-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8440 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • w32tm.exe (PID: 8428 cmdline: "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" "" MD5: 15BDC4BD67925EF33B926843B3B8154B)
  • cleanup

Malware Configuration

Threatname: DarkVision Rat

{"C2": "82.29.67.160", "Port": 443}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1303207128.0000000000434000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
    00000000.00000002.1303207128.0000000000434000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000003.00000002.2566939197.000001A914DD8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
        00000003.00000002.2566939197.000001A914DD8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000002.1303941713.00000000008B8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.8bbfd8.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.8bbfd8.1.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x362e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x36218:$s1: CoGetObject
              • 0x362b0:$s2: Elevation:Administrator!new:
              3.2.svchost.exe.1a914da0000.0.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                3.2.svchost.exe.1a914da0000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  3.2.svchost.exe.1a914da0000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x36ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x36e18:$s1: CoGetObject
                  • 0x36eb0:$s2: Elevation:Administrator!new:
                  Click to see the 6 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Files With System Process Name In Unsuspected Locations
                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 8708, TargetFilename: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe, ParentProcessId: 8652, ParentProcessName: SecuriteInfo.com.FileRepMalware.14920.16794.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 8672, ProcessName: cmd.exe
                  Sigma detected: Windows Binaries Write Suspicious Extensions
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 8708, TargetFilename: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\svchost.exe, ProcessId: 8708, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe, ParentProcessId: 8652, ParentProcessName: SecuriteInfo.com.FileRepMalware.14920.16794.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 8672, ProcessName: cmd.exe
                  Sigma detected: Suspicious Execution From GUID Like Folder Names
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\system32\svchost.exe", ParentImage: C:\Windows\System32\svchost.exe, ParentProcessId: 8708, ParentProcessName: svchost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, ProcessId: 8440, ProcessName: cmd.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\svchost.exe", CommandLine: "C:\Windows\system32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe, ParentProcessId: 8652, ParentProcessName: SecuriteInfo.com.FileRepMalware.14920.16794.exe, ProcessCommandLine: "C:\Windows\system32\svchost.exe", ProcessId: 8708, ProcessName: svchost.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8672, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 8744, ProcessName: powershell.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\system32\svchost.exe", CommandLine: "C:\Windows\system32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe, ParentProcessId: 8652, ParentProcessName: SecuriteInfo.com.FileRepMalware.14920.16794.exe, ProcessCommandLine: "C:\Windows\system32\svchost.exe", ProcessId: 8708, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-04T13:43:11.260279+020020283713Unknown Traffic192.168.2.549725104.26.8.202443TCP
                  2025-04-04T13:43:14.119742+020020283713Unknown Traffic192.168.2.549726104.26.8.202443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-04T13:43:10.516467+020020456181A Network Trojan was detected192.168.2.54972482.29.67.160443TCP
                  2025-04-04T13:43:14.525772+020020456181A Network Trojan was detected192.168.2.54972782.29.67.160443TCP
                  2025-04-04T13:43:18.555997+020020456181A Network Trojan was detected192.168.2.54972882.29.67.160443TCP
                  2025-04-04T13:43:22.621568+020020456181A Network Trojan was detected192.168.2.54975682.29.67.160443TCP
                  2025-04-04T13:43:27.189098+020020456181A Network Trojan was detected192.168.2.54977582.29.67.160443TCP
                  2025-04-04T13:43:31.197527+020020456181A Network Trojan was detected192.168.2.54981282.29.67.160443TCP
                  2025-04-04T13:43:35.212873+020020456181A Network Trojan was detected192.168.2.54981682.29.67.160443TCP
                  2025-04-04T13:43:39.230363+020020456181A Network Trojan was detected192.168.2.54981782.29.67.160443TCP
                  2025-04-04T13:43:43.265242+020020456181A Network Trojan was detected192.168.2.54981882.29.67.160443TCP
                  2025-04-04T13:43:47.289754+020020456181A Network Trojan was detected192.168.2.54981982.29.67.160443TCP
                  2025-04-04T13:43:51.305394+020020456181A Network Trojan was detected192.168.2.54982082.29.67.160443TCP
                  2025-04-04T13:43:55.336915+020020456181A Network Trojan was detected192.168.2.54982382.29.67.160443TCP
                  2025-04-04T13:43:59.040575+020020456181A Network Trojan was detected192.168.2.54982582.29.67.160443TCP
                  2025-04-04T13:44:02.477303+020020456181A Network Trojan was detected192.168.2.54982782.29.67.160443TCP
                  2025-04-04T13:44:05.681534+020020456181A Network Trojan was detected192.168.2.54982882.29.67.160443TCP
                  2025-04-04T13:44:08.665258+020020456181A Network Trojan was detected192.168.2.54982982.29.67.160443TCP
                  2025-04-04T13:44:11.446341+020020456181A Network Trojan was detected192.168.2.54983082.29.67.160443TCP
                  2025-04-04T13:44:14.071455+020020456181A Network Trojan was detected192.168.2.54983182.29.67.160443TCP
                  2025-04-04T13:44:16.540190+020020456181A Network Trojan was detected192.168.2.54983282.29.67.160443TCP
                  2025-04-04T13:44:18.883921+020020456181A Network Trojan was detected192.168.2.54983382.29.67.160443TCP
                  2025-04-04T13:44:21.083615+020020456181A Network Trojan was detected192.168.2.54983482.29.67.160443TCP
                  2025-04-04T13:44:23.119360+020020456181A Network Trojan was detected192.168.2.54983582.29.67.160443TCP
                  2025-04-04T13:44:25.087422+020020456181A Network Trojan was detected192.168.2.54983682.29.67.160443TCP
                  2025-04-04T13:44:26.980615+020020456181A Network Trojan was detected192.168.2.54983782.29.67.160443TCP
                  2025-04-04T13:44:28.743859+020020456181A Network Trojan was detected192.168.2.54983882.29.67.160443TCP
                  2025-04-04T13:44:30.430820+020020456181A Network Trojan was detected192.168.2.54983982.29.67.160443TCP
                  2025-04-04T13:44:32.056784+020020456181A Network Trojan was detected192.168.2.54984082.29.67.160443TCP
                  2025-04-04T13:44:33.618185+020020456181A Network Trojan was detected192.168.2.54984182.29.67.160443TCP
                  2025-04-04T13:44:35.364376+020020456181A Network Trojan was detected192.168.2.54984282.29.67.160443TCP
                  2025-04-04T13:44:36.806112+020020456181A Network Trojan was detected192.168.2.54984382.29.67.160443TCP
                  2025-04-04T13:44:38.280057+020020456181A Network Trojan was detected192.168.2.54984482.29.67.160443TCP
                  2025-04-04T13:44:39.650007+020020456181A Network Trojan was detected192.168.2.54984582.29.67.160443TCP
                  2025-04-04T13:44:41.110932+020020456181A Network Trojan was detected192.168.2.54984682.29.67.160443TCP
                  2025-04-04T13:44:42.399709+020020456181A Network Trojan was detected192.168.2.54984782.29.67.160443TCP
                  2025-04-04T13:44:43.697159+020020456181A Network Trojan was detected192.168.2.54984882.29.67.160443TCP
                  2025-04-04T13:44:44.946603+020020456181A Network Trojan was detected192.168.2.54984982.29.67.160443TCP
                  2025-04-04T13:44:46.165638+020020456181A Network Trojan was detected192.168.2.54985082.29.67.160443TCP
                  2025-04-04T13:44:47.383922+020020456181A Network Trojan was detected192.168.2.54985182.29.67.160443TCP
                  2025-04-04T13:44:48.571644+020020456181A Network Trojan was detected192.168.2.54985282.29.67.160443TCP
                  2025-04-04T13:44:49.780759+020020456181A Network Trojan was detected192.168.2.54985382.29.67.160443TCP
                  2025-04-04T13:44:50.946505+020020456181A Network Trojan was detected192.168.2.54985482.29.67.160443TCP
                  2025-04-04T13:44:52.102521+020020456181A Network Trojan was detected192.168.2.54985582.29.67.160443TCP
                  2025-04-04T13:44:53.227987+020020456181A Network Trojan was detected192.168.2.54985682.29.67.160443TCP
                  2025-04-04T13:44:54.337052+020020456181A Network Trojan was detected192.168.2.54985782.29.67.160443TCP
                  2025-04-04T13:44:55.447111+020020456181A Network Trojan was detected192.168.2.54985882.29.67.160443TCP
                  2025-04-04T13:44:56.594182+020020456181A Network Trojan was detected192.168.2.54985982.29.67.160443TCP
                  2025-04-04T13:44:57.681292+020020456181A Network Trojan was detected192.168.2.54986082.29.67.160443TCP
                  2025-04-04T13:44:58.759302+020020456181A Network Trojan was detected192.168.2.54986182.29.67.160443TCP
                  2025-04-04T13:44:59.873818+020020456181A Network Trojan was detected192.168.2.54986282.29.67.160443TCP
                  2025-04-04T13:45:00.930799+020020456181A Network Trojan was detected192.168.2.54986382.29.67.160443TCP
                  2025-04-04T13:45:01.993990+020020456181A Network Trojan was detected192.168.2.54986482.29.67.160443TCP
                  2025-04-04T13:45:03.069181+020020456181A Network Trojan was detected192.168.2.54986582.29.67.160443TCP
                  2025-04-04T13:45:04.108090+020020456181A Network Trojan was detected192.168.2.54986682.29.67.160443TCP
                  2025-04-04T13:45:05.149719+020020456181A Network Trojan was detected192.168.2.54986782.29.67.160443TCP
                  2025-04-04T13:45:06.211987+020020456181A Network Trojan was detected192.168.2.54986882.29.67.160443TCP
                  2025-04-04T13:45:07.243622+020020456181A Network Trojan was detected192.168.2.54986982.29.67.160443TCP
                  2025-04-04T13:45:08.274723+020020456181A Network Trojan was detected192.168.2.54987082.29.67.160443TCP
                  2025-04-04T13:45:09.305858+020020456181A Network Trojan was detected192.168.2.54987182.29.67.160443TCP
                  2025-04-04T13:45:10.358921+020020456181A Network Trojan was detected192.168.2.54987282.29.67.160443TCP
                  2025-04-04T13:45:11.403775+020020456181A Network Trojan was detected192.168.2.54987382.29.67.160443TCP
                  2025-04-04T13:45:12.446739+020020456181A Network Trojan was detected192.168.2.54987482.29.67.160443TCP
                  2025-04-04T13:45:13.478470+020020456181A Network Trojan was detected192.168.2.54987582.29.67.160443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeAvira: detected
                  Found malware configuration
                  Source: 3.2.svchost.exe.1a914da0000.0.unpackMalware Configuration Extractor: DarkVision Rat {"C2": "82.29.67.160", "Port": 443}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeReversingLabs: Detection: 45%
                  Source: C:\Windows\Temp\NsoACf_8412.sysReversingLabs: Detection: 33%
                  Multi AV Scanner detection for submitted file
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeVirustotal: Detection: 45%Perma Link
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeReversingLabs: Detection: 50%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleNeural Call Log Analysis: 99.9%
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_00405110 LocalAlloc,CryptBinaryToStringW,CryptBinaryToStringW,LocalFree,WaitForSingleObject,RtlExitUserThread,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,0_2_00405110
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_0041CFE0 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,0_2_0041CFE0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBDC00 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,3_2_000001A914DBDC00
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DA53B0 LocalAlloc,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,CryptBinaryToStringW,CryptBinaryToStringW,lstrcpyW,LocalFree,WaitForSingleObject,RtlExitUserThread,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,3_2_000001A914DA53B0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBDD5A CryptReleaseContext,CryptDestroyHash,3_2_000001A914DBDD5A
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBDD1E CryptReleaseContext,CryptDestroyHash,3_2_000001A914DBDD1E
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBDCF7 CryptReleaseContext,CryptDestroyHash,3_2_000001A914DBDCF7
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBDD8F CryptReleaseContext,CryptDestroyHash,3_2_000001A914DBDD8F
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007E82FC malloc,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,free,9_2_007E82FC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0082F028 CryptGenRandom,9_2_0082F028
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007D71E8 CryptAcquireContextA,CryptCreateHash,9_2_007D71E8
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007D71EA CryptAcquireContextA,CryptCreateHash,9_2_007D71EA
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007D7244 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_007D7244
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007E8478 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,9_2_007E8478
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007DE4C4 CryptAcquireContextA,CryptCreateHash,9_2_007DE4C4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007DE510 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_007DE510
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: -----BEGIN PUBLIC KEY-----9_2_007C3268
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: -----BEGIN PUBLIC KEY-----9_2_007EF214
                  Source: tzutil.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.8bbfd8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.1a914da0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.8bbfd8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1303207128.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2566939197.000001A914DD8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1303941713.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.FileRepMalware.14920.16794.exe PID: 8652, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8708, type: MEMORYSTR
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.8.202:443 -> 192.168.2.5:49725 version: TLS 1.2
                  Source: Binary string: sers\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: w32tm.exe, 0000000C.00000002.1544161738.000000000056C000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_00410AA0 SHGetKnownFolderPath,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,0_2_00410AA0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DA97F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,3_2_000001A914DA97F0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008035CC FindFirstFileA,FindNextFileA,FindClose,9_2_008035CC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00821C54 __doserrno,_errno,_errno,__doserrno,FindFirstFileA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,9_2_00821C54

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49724 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49727 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49728 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49756 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49775 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49812 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49817 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49816 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49818 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49823 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49827 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49820 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49830 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49829 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49835 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49832 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49836 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49834 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49825 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49828 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49833 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49840 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49846 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49845 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49849 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49850 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49852 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49847 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49837 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49855 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49842 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49854 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49857 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49856 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49851 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49859 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49838 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49844 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49858 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49831 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49870 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49871 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49864 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49874 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49860 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49853 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49867 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49839 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49843 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49873 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49848 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49869 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49875 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49861 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49865 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49868 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49863 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49862 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49866 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49819 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49841 -> 82.29.67.160:443
                  Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49872 -> 82.29.67.160:443
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 82.29.67.160
                  Creates HTML files with .exe extension (expired dropper behavior)
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeFile created: 5a8e4a73.exe.12.dr
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 04 Apr 2025 11:43:07 GMTContent-Type: application/octet-streamContent-Length: 1961472Last-Modified: Fri, 04 Apr 2025 09:05:45 GMTConnection: keep-aliveETag: "67efa0e9-1dee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 14 fa ce 67 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 09 00 00 ba 00 00 00 68 19 00 00 00 00 00 24 a5 2f 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 00 43 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 0e 40 00 3c 00 00 00 00 90 42 00 46 6b 00 00 10 5b 42 00 90 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c2 b9 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 2a 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 ba 18 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c8 07 00 00 00 c0 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 65 30 00 00 00 00 00 00 9f 27 0b 00 00 d0 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 65 31 00 00 00 00 00 00 50 00 00 00 00 00 25 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 65 32 00 00 00 00 00 00 a0 7b 1d 00 00 10 25 00 00 7c 1d 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 46 6b 00 00 00 90 42 00 00 6c 00 00 00 82 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 04 Apr 2025 11:43:14 GMTContent-Type: application/octet-streamContent-Length: 1400832Last-Modified: Sat, 22 Mar 2025 01:09:32 GMTConnection: keep-aliveETag: "67de0dcc-156000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 bc 0b de 67 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 09 00 00 3a 07 00 00 ca 01 00 00 00 00 00 41 3f 2a 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 2b 00 00 04 00 00 5f c9 15 00 02 00 00 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 b9 24 00 a0 00 00 00 00 c0 2b 00 b2 01 00 00 a0 4f 2b 00 bc 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 16 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f5 38 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 52 01 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 64 6d 00 00 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 f4 3e 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 73 30 30 00 00 00 00 00 68 ee 0c 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 73 30 31 00 00 00 00 00 a0 00 00 00 00 50 16 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 30 32 00 00 00 00 00 5c 57 15 00 00 60 16 00 00 58 15 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 b2 01 00 00 00 c0 2b 00 00 02 00 00 00 5e 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Source: Joe Sandbox ViewIP Address: 4.28.136.57 4.28.136.57
                  Source: Joe Sandbox ViewIP Address: 104.26.8.202 104.26.8.202
                  Source: Joe Sandbox ViewIP Address: 107.174.192.179 107.174.192.179
                  Source: Joe Sandbox ViewASN Name: NTLGB NTLGB
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49725 -> 104.26.8.202:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49726 -> 104.26.8.202:443
                  Source: global trafficHTTP traffic detected: GET /ZATFQO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.link
                  Source: global trafficHTTP traffic detected: GET /images/pixel.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.linkCookie: g_session=eyJpdiI6IjY2eWJ6cGZhbUFvYllUb3c4dm5mNFE9PSIsInZhbHVlIjoiZkhIaUVNaWxodENCVE1kUHdYV0NTTnFESlFJVkE5Rll5Mm5aSkxuNnBLSDM3Rkp1VTNKWU9WelRIZlN4SUtUeTBUNCtFdUhqMU45VkplajJTYmJ4WXFoZEFYYWRIYjJ2Vy9tVmMwQWlzd0p2MWNkYVJCejVyT2xKMHFVZmsxZEQiLCJtYWMiOiI5ODMzYTZjNjEwZTU0ZDY2YjYzNTliZjQ1NDc4NDRmY2VkYTQ2ZmVmNjYyNGM0YjVhM2NkODViODgwNmI4NDgzIiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6ImRheTdBOGhzandzNzNXb0UwejZkT3c9PSIsInZhbHVlIjoiY2s5K1czbFFPTGphWUhrVmJFMjk5U29BNzdZeWJlQWNkbzNwOFJiOUt5L0huN2V2RllVYlVnL1RNY2haam1xdXNBbUxaZlI4N014Umh6aXk3bU4wMmUza2oxb0JmUVl5OWpIMjBsNEZEZ0VnT1dHWFY2THlvUUx5VFN5bFZud1EiLCJtYWMiOiJkOGQ0M2E0NmY0YmE3ZTdmMWZjY2FiMGVjMWM5YzYzMWU4YzIxZDk2Y2RlMDdlMzA3NWFkNDljMjA5OTA1ZWY2IiwidGFnIjoiIn0%3D
                  Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /data/003 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                  Source: global trafficHTTP traffic detected: GET /clean HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                  Source: global trafficHTTP traffic detected: HEAD /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1179647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1179648-1310719User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1310720-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-1966079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1966080-2228223User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2228224-2490367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2490368-2752511User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2752512-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-3801087User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3801088-4325375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4325376-4849663User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4849664-5373951User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5373952-5606383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_00420720 recv,0_2_00420720
                  Source: global trafficHTTP traffic detected: GET /ZATFQO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.link
                  Source: global trafficHTTP traffic detected: GET /images/pixel.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.linkCookie: g_session=eyJpdiI6IjY2eWJ6cGZhbUFvYllUb3c4dm5mNFE9PSIsInZhbHVlIjoiZkhIaUVNaWxodENCVE1kUHdYV0NTTnFESlFJVkE5Rll5Mm5aSkxuNnBLSDM3Rkp1VTNKWU9WelRIZlN4SUtUeTBUNCtFdUhqMU45VkplajJTYmJ4WXFoZEFYYWRIYjJ2Vy9tVmMwQWlzd0p2MWNkYVJCejVyT2xKMHFVZmsxZEQiLCJtYWMiOiI5ODMzYTZjNjEwZTU0ZDY2YjYzNTliZjQ1NDc4NDRmY2VkYTQ2ZmVmNjYyNGM0YjVhM2NkODViODgwNmI4NDgzIiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6ImRheTdBOGhzandzNzNXb0UwejZkT3c9PSIsInZhbHVlIjoiY2s5K1czbFFPTGphWUhrVmJFMjk5U29BNzdZeWJlQWNkbzNwOFJiOUt5L0huN2V2RllVYlVnL1RNY2haam1xdXNBbUxaZlI4N014Umh6aXk3bU4wMmUza2oxb0JmUVl5OWpIMjBsNEZEZ0VnT1dHWFY2THlvUUx5VFN5bFZud1EiLCJtYWMiOiJkOGQ0M2E0NmY0YmE3ZTdmMWZjY2FiMGVjMWM5YzYzMWU4YzIxZDk2Y2RlMDdlMzA3NWFkNDljMjA5OTA1ZWY2IiwidGFnIjoiIn0%3D
                  Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                  Source: global trafficHTTP traffic detected: GET /data/003 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                  Source: global trafficHTTP traffic detected: GET /clean HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1179647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1179648-1310719User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1310720-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-1966079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1966080-2228223User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2228224-2490367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2490368-2752511User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2752512-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-3801087User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3801088-4325375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4325376-4849663User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4849664-5373951User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5373952-5606383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                  Source: global trafficDNS traffic detected: DNS query: grabify.link
                  Source: global trafficDNS traffic detected: DNS query: devbuilds.s.kaspersky-labs.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 11:43:24 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467efc5dc751619b3ae689675; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 11:43:24 GMT; HttpOnly
                  Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 11:43:26 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467efc5de751619b6ae65f525; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 11:43:26 GMT; HttpOnly
                  Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 11:43:27 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467efc5df751619acae603f2f; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 11:43:27 GMT; HttpOnly
                  Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 11:43:28 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467efc5e0751619aeae64c2be; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 11:43:28 GMT; HttpOnly
                  Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 11:43:28 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467efc5e0751619b0ae58d242; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 11:43:28 GMT; HttpOnly
                  Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 11:43:29 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467efc5e1751619b2ae67748c; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 11:43:29 GMT; HttpOnly
                  Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 11:43:29 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467efc5e1751619b5ae5af2b7; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 11:43:29 GMT; HttpOnly
                  Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 11:43:30 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467efc5e2751619b7ae660f58; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 11:43:30 GMT; HttpOnly
                  Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 11:43:31 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467efc5e3751619a9ae5b63a0; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 11:43:31 GMT; HttpOnly
                  Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 04 Apr 2025 11:43:31 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467efc5e3751619abae6296d6; domain=.kaspersky-labs.com; path=/; expires=Sat, 04-Apr-2026 11:43:31 GMT; HttpOnly
                  Source: tzutil.exe, 00000009.00000003.1487052723.000000000270E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1
                  Source: tzutil.exe, 00000009.00000003.1471113014.000000000270D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1474319146.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1471069153.0000000002701000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1470946095.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1512575125.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1487052723.000000000270E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1(
                  Source: tzutil.exe, 00000009.00000002.1511887447.0000000000523000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1GPROFILE
                  Source: tzutil.exe, 00000009.00000003.1471113014.000000000270D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1474319146.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1471069153.0000000002701000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1470946095.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1512575125.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1487052723.000000000270E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1N
                  Source: tzutil.exe, 00000009.00000003.1471113014.000000000270D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1474319146.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1471069153.0000000002701000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1470946095.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1512575125.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1487052723.000000000270E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1P
                  Source: tzutil.exe, 00000009.00000003.1471113014.000000000270D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1474319146.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1471069153.0000000002701000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1470946095.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1512575125.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1487052723.000000000270E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1Z
                  Source: tzutil.exe, 00000009.00000003.1471113014.000000000270D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1474319146.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1471069153.0000000002701000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1470946095.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1512575125.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1487052723.000000000270E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1e
                  Source: tzutil.exe, 00000009.00000003.1471113014.000000000270D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1474319146.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1471069153.0000000002701000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1470946095.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1512575125.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1487052723.000000000270E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1l
                  Source: tzutil.exe, 00000009.00000003.1471043406.000000000271A000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1470946095.0000000002714000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1477804087.0000000002721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1n0
                  Source: tzutil.exe, 00000009.00000003.1471043406.000000000271A000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1470946095.0000000002714000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1477804087.0000000002721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1s0
                  Source: tzutil.exe, 00000009.00000003.1471043406.000000000271A000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1470946095.0000000002714000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1477804087.0000000002721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1u0
                  Source: tzutil.exe, 00000009.00000003.1471113014.000000000270D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1474319146.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1471069153.0000000002701000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1470946095.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1512575125.000000000270E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1487052723.000000000270E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1x
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exe, 00000000.00000002.1303230328.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000003.00000002.2566958144.000001A914DFF000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2566838300.000001A9134E8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2566958144.000001A914E03000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2566798352.000001A9134E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.174.192.179/clean
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exe, 00000000.00000002.1303230328.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000003.00000002.2566958144.000001A914DFF000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2566838300.000001A9134E8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2566373689.0000006F51FF6000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2566958144.000001A914E03000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2566798352.000001A9134E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.174.192.179/data/003
                  Source: powershell.exe, 0000000D.00000002.1546911528.000001864768B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micSE
                  Source: tzutil.exe, 00000009.00000003.1502506497.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp, NsoACf_8412.sys.9.drString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
                  Source: tzutil.exe, 00000009.00000003.1502506497.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp, NsoACf_8412.sys.9.drString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
                  Source: powershell.exe, 0000000D.00000002.1536048958.000001863EEF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1615676565.00000231C32A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: tzutil.exe, 00000009.00000003.1502506497.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp, NsoACf_8412.sys.9.drString found in binary or memory: http://ocsp.thawte.com0
                  Source: powershell.exe, 00000012.00000002.1548580690.00000231B3459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 0000000D.00000002.1483028744.000001862F0A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1548580690.00000231B3459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: powershell.exe, 0000000D.00000002.1483028744.000001862EE81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1548580690.00000231B3231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 0000000D.00000002.1483028744.000001862F0A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1548580690.00000231B3459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 00000012.00000002.1548580690.00000231B3459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 0000000D.00000002.1483028744.000001862EE81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1548580690.00000231B3231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000012.00000002.1615676565.00000231C32A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000012.00000002.1615676565.00000231C32A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000012.00000002.1615676565.00000231C32A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: tzutil.exe, tzutil.exe, 00000009.00000002.1512286724.00000000007B0000.00000040.00000001.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.1512806124.0000000140010000.00000004.00000001.01000000.00000004.sdmp, w32tm.exe, w32tm.exe, 0000000C.00000002.1545666496.0000000140075000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                  Source: tzutil.exe, w32tm.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
                  Source: w32tm.exe, 0000000C.00000003.1534123414.00000000021E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/fu
                  Source: w32tm.exe, 0000000C.00000002.1545666496.0000000140075000.00000002.00000001.01000000.00000006.sdmp, w32tm.exe, 0000000C.00000003.1509219406.00000000021E1000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1527590539.0000000002359000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000002.1545149424.00000000021E4000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1514803051.000000000235D000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1509313036.0000000002356000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1543652459.00000000021E3000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1543545425.00000000021E1000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1515984166.00000000021E1000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1543497910.0000000002359000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1521210136.00000000021E1000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1527649000.00000000021E1000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1483665298.000000000235D000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1534123414.00000000021E1000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1509523938.00000000021E3000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1538857485.000000000235B000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1538881133.00000000021E1000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1483612040.000000000235D000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1483711774.000000000235D000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1520880132.000000000235B000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1533973782.0000000002359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe
                  Source: w32tm.exe, 0000000C.00000003.1509313036.0000000002356000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exeHTML
                  Source: w32tm.exe, 0000000C.00000003.1543524585.000000000235B000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000003.1543497910.0000000002359000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000C.00000002.1545429203.000000000235D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exent:
                  Source: powershell.exe, 00000012.00000002.1548580690.00000231B3459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: tzutil.exe, 00000009.00000003.1502072906.000000000271E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/U7WLGD
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exe, 00000000.00000002.1303230328.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000003.00000002.2566958144.000001A914DFF000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2566838300.000001A9134E8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2566958144.000001A914E03000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2566798352.000001A9134E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/ZATFQO
                  Source: powershell.exe, 0000000D.00000002.1536048958.000001863EEF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1615676565.00000231C32A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
                  Source: unknownHTTPS traffic detected: 104.26.8.202:443 -> 192.168.2.5:49725 version: TLS 1.2
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DB2310 WaitForSingleObject,RtlExitUserThread,GetAsyncKeyState,Sleep,OpenEventW,SetEvent,CloseHandle,RtlExitUserThread,3_2_000001A914DB2310

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.8bbfd8.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 3.2.svchost.exe.1a914da0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.8bbfd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_00406DB0 GetCurrentProcess,CreateProcessW,NtCreateSection,NtMapViewOfSection,_memmove,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,_memmove,NtMapViewOfSection,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,0_2_00406DB0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DA7940 GetCurrentProcess,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetThreadContext,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,TerminateProcess,3_2_000001A914DA7940
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DB11A4 CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,3_2_000001A914DB11A4
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DB0740 CreateProcessW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,LoadLibraryW,GetProcAddress,GetProcAddress,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,CreateEventW,RtlCreateUserThread,WaitForSingleObject,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,3_2_000001A914DB0740
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B5D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,9_2_007B5D7C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B5D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,9_2_007B5D7C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\NsoACf_8412.sysJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile deleted: C:\Windows\Temp\NsoACf_8412.sysJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_0040E1C80_2_0040E1C8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_004258F70_2_004258F7
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DC23403_2_000001A914DC2340
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DB9D203_2_000001A914DB9D20
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DC5E503_2_000001A914DC5E50
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBD6003_2_000001A914DBD600
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DA4DA03_2_000001A914DA4DA0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DA7EF03_2_000001A914DA7EF0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DA10003_2_000001A914DA1000
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DCF9643_2_000001A914DCF964
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DA79403_2_000001A914DA7940
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DAE8C03_2_000001A914DAE8C0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DAA8C03_2_000001A914DAA8C0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DAB8B03_2_000001A914DAB8B0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DCE9BC3_2_000001A914DCE9BC
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DD3B2C3_2_000001A914DD3B2C
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DB12B03_2_000001A914DB12B0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DD5C5C3_2_000001A914DD5C5C
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBC4803_2_000001A914DBC480
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DCCC2C3_2_000001A914DCCC2C
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DD53F83_2_000001A914DD53F8
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DACBF03_2_000001A914DACBF0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DC23B63_2_000001A914DC23B6
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBAD503_2_000001A914DBAD50
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DC9D1C3_2_000001A914DC9D1C
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBA5103_2_000001A914DBA510
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBC5013_2_000001A914DBC501
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DADE203_2_000001A914DADE20
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DB07403_2_000001A914DB0740
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DD67083_2_000001A914DD6708
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DB26903_2_000001A914DB2690
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBD0303_2_000001A914DBD030
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DC27903_2_000001A914DC2790
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B27389_2_007B2738
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B5D7C9_2_007B5D7C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007F70749_2_007F7074
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007FC06C9_2_007FC06C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009210B29_2_009210B2
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007C104C9_2_007C104C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008FB0B19_2_008FB0B1
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008200D89_2_008200D8
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008B10D09_2_008B10D0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008030209_2_00803020
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008D90209_2_008D9020
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B20C09_2_007B20C0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092002D9_2_0092002D
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008FD0409_2_008FD040
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092A1969_2_0092A196
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0090919B9_2_0090919B
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008221989_2_00822198
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007CD1489_2_007CD148
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0091C1D49_2_0091C1D4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007F21189_2_007F2118
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008011F09_2_008011F0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008EB1F29_2_008EB1F2
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0090C1179_2_0090C117
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008E611E9_2_008E611E
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008AC1189_2_008AC118
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008C11139_2_008C1113
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008FC1259_2_008FC125
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0090613B9_2_0090613B
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007CC1D09_2_007CC1D0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B11CC9_2_007B11CC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008061709_2_00806170
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008EB2949_2_008EB294
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008092B89_2_008092B8
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007E923C9_2_007E923C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008AA2CC9_2_008AA2CC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008AC2DB9_2_008AC2DB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008242D89_2_008242D8
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008222DC9_2_008222DC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008EF2F09_2_008EF2F0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0080E2249_2_0080E224
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0090A2529_2_0090A252
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007FD2949_2_007FD294
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008A538A9_2_008A538A
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0080E39C9_2_0080E39C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009043B59_2_009043B5
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008EE3D59_2_008EE3D5
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088F3149_2_0088F314
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008BA32A9_2_008BA32A
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0082A3589_2_0082A358
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0090F3779_2_0090F377
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007F53989_2_007F5398
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008C34AD9_2_008C34AD
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008B04AC9_2_008B04AC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007FF4589_2_007FF458
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008284BC9_2_008284BC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0090D4DD9_2_0090D4DD
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008BF4FA9_2_008BF4FA
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008914F19_2_008914F1
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0080E4F89_2_0080E4F8
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B14009_2_007B1400
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007DB4FC9_2_007DB4FC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007C94A49_2_007C94A4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092544E9_2_0092544E
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092747D9_2_0092747D
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008C047E9_2_008C047E
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007F85709_2_007F8570
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008D65AD9_2_008D65AD
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008D55AE9_2_008D55AE
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008235B09_2_008235B0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008C55BB9_2_008C55BB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0091C5C79_2_0091C5C7
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_009255E29_2_009255E2
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008C65FB9_2_008C65FB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007D35F49_2_007D35F4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007F45E09_2_007F45E0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008E752C9_2_008E752C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088C5489_2_0088C548
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092E5449_2_0092E544
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008226A09_2_008226A0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0082C6A09_2_0082C6A0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008146B49_2_008146B4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008996B19_2_008996B1
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0091E6CB9_2_0091E6CB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089F6ED9_2_0089F6ED
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008E86E49_2_008E86E4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008D16FA9_2_008D16FA
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008E66069_2_008E6606
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089B6289_2_0089B628
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089966A9_2_0089966A
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092A6769_2_0092A676
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0080178C9_2_0080178C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007E876C9_2_007E876C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008027B49_2_008027B4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088E7139_2_0088E713
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007DF8709_2_007DF870
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008AB8DE9_2_008AB8DE
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008CC8DB9_2_008CC8DB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0081D80C9_2_0081D80C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B18EC9_2_007B18EC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008228209_2_00822820
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008178349_2_00817834
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007D68C49_2_007D68C4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0081284C9_2_0081284C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008298709_2_00829870
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008268789_2_00826878
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008239849_2_00823984
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007F19409_2_007F1940
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008F89CB9_2_008F89CB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007D79189_2_007D7918
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008BD90D9_2_008BD90D
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008919189_2_00891918
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007E8A649_2_007E8A64
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007BBA609_2_007BBA60
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008F9AAB9_2_008F9AAB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00892AEB9_2_00892AEB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00820AF49_2_00820AF4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007F1AF89_2_007F1AF8
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008A1A119_2_008A1A11
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007E6ABC9_2_007E6ABC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007C5AB09_2_007C5AB0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008A9A449_2_008A9A44
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007F3AB09_2_007F3AB0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00817A509_2_00817A50
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00825A589_2_00825A58
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00821A749_2_00821A74
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008FBA769_2_008FBA76
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008A2B919_2_008A2B91
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0088FBB09_2_0088FBB0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008C5BB79_2_008C5BB7
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008EFBB39_2_008EFBB3
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008A3BF19_2_008A3BF1
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B9BF49_2_007B9BF4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008B9B2E9_2_008B9B2E
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0082DB309_2_0082DB30
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008BFB5C9_2_008BFB5C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0081DCAC9_2_0081DCAC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00817CB89_2_00817CB8
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00828CBC9_2_00828CBC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00802CC89_2_00802CC8
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00915CDB9_2_00915CDB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00801CF09_2_00801CF0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0080AC089_2_0080AC08
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00914C3C9_2_00914C3C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008E4C589_2_008E4C58
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00818C789_2_00818C78
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00827D809_2_00827D80
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00904D8E9_2_00904D8E
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0092DDBB9_2_0092DDBB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008C7D019_2_008C7D01
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00927D0B9_2_00927D0B
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008CCD5D9_2_008CCD5D
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007BED889_2_007BED88
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0089DD7E9_2_0089DD7E
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007E5D849_2_007E5D84
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008E1ECB9_2_008E1ECB
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008D6EC49_2_008D6EC4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008E7EC79_2_008E7EC7
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008BBED09_2_008BBED0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00812EDC9_2_00812EDC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0081CEF49_2_0081CEF4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008EDE1F9_2_008EDE1F
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B8EE49_2_007B8EE4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007E2EAC9_2_007E2EAC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008B0E669_2_008B0E66
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B4E809_2_007B4E80
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0082CF9C9_2_0082CF9C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007C6F589_2_007C6F58
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007D1F509_2_007D1F50
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008D7FDD9_2_008D7FDD
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007CEF089_2_007CEF08
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00829FF49_2_00829FF4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008A0F3C9_2_008A0F3C
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008BCF659_2_008BCF65
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014000116412_2_0000000140001164
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014005EFEC12_2_000000014005EFEC
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014001D02012_2_000000014001D020
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400638E412_2_00000001400638E4
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014001292412_2_0000000140012924
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014006016412_2_0000000140060164
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400021BC12_2_00000001400021BC
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014000C20C12_2_000000014000C20C
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_0000000140021C5812_2_0000000140021C58
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400614CC12_2_00000001400614CC
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400054E412_2_00000001400054E4
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014001565C12_2_000000014001565C
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_000000014006577C12_2_000000014006577C
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_0000000140061FDC12_2_0000000140061FDC
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FF7C6BD0B8D18_2_00007FF7C6BD0B8D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FF7C6BD169D18_2_00007FF7C6BD169D
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe 4F0B2C61BCCFD9AA3DB301EE4E15607DF41DED533757DE34C986A0FF25B6246D
                  Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\NsoACf_8412.sys C37BF1ABC0662B4F18607E2D7B75F5C600E45EA5604DAFFA54674E2AEBDCE9F0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess token adjusted: Load DriverJump to behavior
                  Source: C:\Windows\System32\svchost.exeCode function: String function: 000001A914DC84A8 appears 48 times
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: String function: 007CB600 appears 69 times
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: String function: 0000000140011D54 appears 40 times
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exe, 00000000.00000000.1293484709.0000000000683000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameproquota.exej% vs SecuriteInfo.com.FileRepMalware.14920.16794.exe
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeBinary or memory string: OriginalFilenameproquota.exej% vs SecuriteInfo.com.FileRepMalware.14920.16794.exe
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\AOH1wqLL_8412Jump to behavior
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.8bbfd8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 3.2.svchost.exe.1a914da0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.8bbfd8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeStatic PE information: Section: m2 ZLIB complexity 0.9943319387294259
                  Source: NsoACf_8412.sys.9.drBinary string: \Device\Udp6\Device\Udp\Device\Tcp6\Device\Tcp
                  Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@23/19@2/6
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B5D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,9_2_007B5D7C
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_004043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004043D0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_0041DE90 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0041DE90
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeMutant created: \Sessions\1\BaseNamedObjects\{3FA0BA37-09C6-4551-AE7D-90F1279DF03F}
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeMutant created: \Sessions\1\BaseNamedObjects\{332F5D59-2BCB-4D58-B258-019647CFE541}
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8700:120:WilError_03
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeMutant created: \Sessions\1\BaseNamedObjects\{3309A6B4-2F09-4BC8-A971-5D5A3B1B34EE}
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeMutant created: \Sessions\1\BaseNamedObjects\{BECD724E-BB45-47CB-82D8-31731BA1EB16}
                  Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{213CD3BF-7EA5-4F3F-A371-F1D075B5EB25}
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8460:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8680:120:WilError_03
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeVirustotal: Detection: 45%
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeReversingLabs: Detection: 50%
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: dbgcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeStatic file information: File size 1280000 > 1048576
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeStatic PE information: Raw size of m2 is bigger than: 0x100000 < 0x137600
                  Source: Binary string: sers\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: w32tm.exe, 0000000C.00000002.1544161738.000000000056C000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DB8830 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,3_2_000001A914DB8830
                  Source: initial sampleStatic PE information: section where entry point is pointing to: m2
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeStatic PE information: section name: m0
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeStatic PE information: section name: m1
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeStatic PE information: section name: m2
                  Source: tzutil.exe.3.drStatic PE information: section name: e0
                  Source: tzutil.exe.3.drStatic PE information: section name: e1
                  Source: tzutil.exe.3.drStatic PE information: section name: e2
                  Source: w32tm.exe.3.drStatic PE information: section name: s00
                  Source: w32tm.exe.3.drStatic PE information: section name: s01
                  Source: w32tm.exe.3.drStatic PE information: section name: s02
                  Source: NsoACf_8412.sys.9.drStatic PE information: section name: vs0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_0042C275 push ecx; ret 0_2_0042C288
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_00412218 push ds; retn 0007h0_2_0041221F
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_0049B3CD push ecx; ret 0_2_0049B3E0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_004075BB push ecx; retf 0000h0_2_004075BC
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_004C570A pushfd ; ret 0_2_004C572A
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_00493F8D push ebp; ret 0_2_00493FBA
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B2D40 push rcx; iretd 9_2_007B2D43
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00837E88 push rax; retn 0083h9_2_00837E89
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400136B7 push rsp; iretd 12_2_00000001400136B8
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 12_2_00000001400136D2 push rsp; iretd 12_2_00000001400136D3
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C69ED2A5 pushad ; iretd 13_2_00007FF7C69ED2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C6B02851 push ebp; iretd 13_2_00007FF7C6B02852
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C6B0350D pushfd ; iretd 13_2_00007FF7C6B03532
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C6B019B2 push ebp; iretd 13_2_00007FF7C6B019B4
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C6BD7BFC push esp; iretd 13_2_00007FF7C6BD7BFD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C6BD7F5F push ecx; iretd 13_2_00007FF7C6BD7F61
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FF7C69ED2A5 pushad ; iretd 18_2_00007FF7C69ED2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FF7C6B019DC pushad ; ret 18_2_00007FF7C6B019E9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FF7C6B0194A push ebp; iretd 18_2_00007FF7C6B019A4
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FF7C6BD7BFC push esp; iretd 18_2_00007FF7C6BD7BFD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FF7C6BD7F5F push ecx; iretd 18_2_00007FF7C6BD7F61
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exeStatic PE information: section name: m2 entropy: 7.992237742926046
                  Source: tzutil.exe.3.drStatic PE information: section name: e2 entropy: 7.98512194275999
                  Source: w32tm.exe.3.drStatic PE information: section name: s02 entropy: 7.959351043402205
                  Source: NsoACf_8412.sys.9.drStatic PE information: section name: .text entropy: 7.126561604240753

                  Persistence and Installation Behavior

                  barindex
                  Sample is not signed and drops a device driver
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\NsoACf_8412.sysJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeJump to dropped file
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeJump to dropped file
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\NsoACf_8412.sysJump to dropped file
                  Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeJump to dropped file
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\NsoACf_8412.sysJump to dropped file

                  Boot Survival

                  barindex
                  Creates autostart registry keys with suspicious names
                  Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AOH1wqLL_8412Jump to behavior
                  Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                  Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                  Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                  Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Deletes itself after installation
                  Source: C:\Windows\System32\svchost.exeFile deleted: c:\users\user\desktop\securiteinfo.com.filerepmalware.14920.16794.exeJump to behavior
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DB8830 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,3_2_000001A914DB8830
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\{42F09F7D-CA44-409E-A936-E948CF4ECA66} {875376CD-1334-41AA-8A36-0C7105D31883}Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI/Special instruction interceptor: Address: 5CE347
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI/Special instruction interceptor: Address: 54FA04
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI/Special instruction interceptor: Address: 57183A
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI/Special instruction interceptor: Address: 570A21
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI/Special instruction interceptor: Address: 553097
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI/Special instruction interceptor: Address: 588504
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI/Special instruction interceptor: Address: 5D184C
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI/Special instruction interceptor: Address: 5894D1
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI/Special instruction interceptor: Address: 7FF84F7AE814
                  Tries to evade analysis by execution special instruction (VM detection)
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSpecial instruction interceptor: First address: 5D0216 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSpecial instruction interceptor: First address: 14041DA0C instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSpecial instruction interceptor: First address: 1402AC77B instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBDE00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,3_2_000001A914DBDE00
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6084Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3637Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7275Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2258Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6734Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2113Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeDropped PE file which has not been started: C:\Windows\Temp\NsoACf_8412.sysJump to dropped file
                  Source: C:\Windows\System32\svchost.exeEvaded block: after key decisiongraph_3-18337
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-11379
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI coverage: 5.1 %
                  Source: C:\Windows\System32\svchost.exeAPI coverage: 7.8 %
                  Source: C:\Windows\System32\svchost.exe TID: 8756Thread sleep time: -69000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 8776Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8812Thread sleep count: 6084 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8812Thread sleep count: 3637 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8876Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6740Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6872Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6844Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_00410AA0 SHGetKnownFolderPath,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,0_2_00410AA0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DA97F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,3_2_000001A914DA97F0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_008035CC FindFirstFileA,FindNextFileA,FindClose,9_2_008035CC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00821C54 __doserrno,_errno,_errno,__doserrno,FindFirstFileA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,9_2_00821C54
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007B5BCC GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,9_2_007B5BCC
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: svchost.exe, 00000003.00000002.2566723213.000001A913499000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: w32tm.exe, 0000000C.00000002.1544161738.0000000000592000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %SystemRoot%\system32\NLAapi.dllHyper-V RAW'
                  Source: svchost.exe, 00000003.00000002.2566589298.000001A913471000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: tzutil.exe, 00000009.00000002.1512090714.00000000005D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
                  Source: svchost.exe, 00000003.00000002.2566568267.000001A913413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                  Source: SecuriteInfo.com.FileRepMalware.14920.16794.exe, 00000000.00000002.1303941713.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: svchost.exe, 00000003.00000002.2566723213.000001A913499000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWRSVP UDP Service Provider
                  Source: svchost.exe, 00000003.00000002.2566723213.000001A9134A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: w32tm.exe, 0000000C.00000002.1544161738.00000000005A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI call chain: ExitProcess graph end nodegraph_0-11394
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI call chain: ExitProcess graph end nodegraph_0-11294
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI call chain: ExitProcess graph end nodegraph_0-11402
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI call chain: ExitProcess graph end nodegraph_0-11384
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI call chain: ExitProcess graph end nodegraph_0-11292
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI call chain: ExitProcess graph end nodegraph_0-11390
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI call chain: ExitProcess graph end nodegraph_0-11381
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeAPI call chain: ExitProcess graph end nodegraph_0-11317
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DCC5E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_000001A914DCC5E0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DBDE00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,3_2_000001A914DBDE00
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DB8830 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,3_2_000001A914DB8830
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00829204 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,9_2_00829204
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DCC5E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_000001A914DCC5E0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DCE5B8 SetUnhandledExceptionFilter,3_2_000001A914DCE5B8
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DD0E94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_000001A914DD0E94
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DCA818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000001A914DCA818
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0081C280 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0081C280
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0081C540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0081C540
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00819924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00819924
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_00819B18 SetUnhandledExceptionFilter,9_2_00819B18

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Benign windows process drops PE files
                  Source: C:\Windows\System32\svchost.exeFile created: tzutil.exe.3.drJump to dropped file
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_00406DB0 GetCurrentProcess,CreateProcessW,NtCreateSection,NtMapViewOfSection,_memmove,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,_memmove,NtMapViewOfSection,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,0_2_00406DB0
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1400026B1Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140248445Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1403EF966Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x14041B939Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1402ED468Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x1403EC0F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x14025B23FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x140225E38Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x14022B9FEJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x1403F6D10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140166C45Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x1402A1C00Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1403EB20AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x140236AB8Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x1403FD737Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x1402391CEJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140239FF3Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x1402412BCJump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x140255CB2Jump to behavior
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x14040D940Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x14029D239Jump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: read writeJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: read writeJump to behavior
                  Searches for specific processes (likely to inject)
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_004043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004043D0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_004044A0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004044A0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DA42E0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,3_2_000001A914DA42E0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DA43D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,3_2_000001A914DA43D0
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DAA3B0 setsockopt,SetEvent,LocalAlloc,wnsprintfW,LocalAlloc,lstrcpyW,LocalAlloc,lstrcpyW,CoInitializeEx,ShellExecuteExW,GetLastError,CoUninitialize,LocalAlloc,wnsprintfW,CreateProcessW,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,shutdown,closesocket,3_2_000001A914DAA3B0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_0040CFB8 SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,0_2_0040CFB8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_0041D480 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0041D480
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: ___crtGetLocaleInfoEx,WSACreateEvent,___crtGetLocaleInfoEx,WSAGetLastError,WSAEventSelect,WSAWaitForMultipleEvents,WSAEnumNetworkEvents,0_2_00421A20
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: ___crtGetLocaleInfoEx,WSACreateEvent,___crtGetLocaleInfoEx,WSAGetLastError,WSAEventSelect,WSAWaitForMultipleEvents,WSAEnumNetworkEvents,0_2_00421DA0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: GetLocaleInfoA,9_2_0081E5E8
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14920.16794.exeCode function: 0_2_0040804B GetSystemTime,SystemTimeToFileTime,0_2_0040804B
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DC5AD0 LocalAlloc,LoadLibraryW,LocalFree,GetProcAddress,LocalFree,RtlGetVersion,LocalFree,GetUserGeoID,gethostname,gethostbyname,GetComputerNameExW,GetUserNameW,GetTickCount64,LocalFree,3_2_000001A914DC5AD0
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_0081D80C _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,9_2_0081D80C
                  Source: C:\Windows\System32\svchost.exeCode function: 3_2_000001A914DCF6DC HeapCreate,GetVersion,HeapSetInformation,3_2_000001A914DCF6DC
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected DarkVision Rat
                  Source: Yara matchFile source: 3.2.svchost.exe.1a914da0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.8bbfd8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1303207128.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2566939197.000001A914DD8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1303941713.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.FileRepMalware.14920.16794.exe PID: 8652, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8708, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected DarkVision Rat
                  Source: Yara matchFile source: 3.2.svchost.exe.1a914da0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.8bbfd8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.FileRepMalware.14920.16794.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1303207128.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2566939197.000001A914DD8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1303941713.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.FileRepMalware.14920.16794.exe PID: 8652, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8708, type: MEMORYSTR
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007D92C4 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,__swprintf_l,send,recv,closesocket,closesocket,closesocket,closesocket,9_2_007D92C4
                  Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 9_2_007C8C10 htons,bind,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,9_2_007C8C10

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		Valid Accounts3
                  Native API                  		1
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		11
                  Input Capture                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		14
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		2
                  LSASS Driver                  		1
                  Abuse Elevation Control Mechanism                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol11
                  Input Capture                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  DLL Side-Loading                  		2
                  LSASS Driver                  		1
                  Abuse Elevation Control Mechanism                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Windows Service                  		1
                  DLL Side-Loading                  		3
                  Obfuscated Files or Information                  		NTDS225
                  System Information Discovery                  		Distributed Component Object ModelInput Capture124
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd11
                  Registry Run Keys / Startup Folder                  		1
                  Access Token Manipulation                  		2
                  Software Packing                  		LSA Secrets431
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Windows Service                  		1
                  DLL Side-Loading                  		Cached Domain Credentials121
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items311
                  Process Injection                  		11
                  File Deletion                  		DCSync12
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job11
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Modify Registry                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron121
                  Virtualization/Sandbox Evasion                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Access Token Manipulation                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task311
                  Process Injection                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1656622 Sample: SecuriteInfo.com.FileRepMal... Startdate: 04/04/2025 Architecture: WINDOWS Score: 100 54 grabify.link 2->54 56 edge.geo.kaspersky.com 2->56 58 devbuilds.s.kaspersky-labs.com 2->58 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 10 other signatures 2->78 10 SecuriteInfo.com.FileRepMalware.14920.16794.exe 3 1 2->10         started        signatures3 process4 signatures5 98 Query firmware table information (likely to detect VMs) 10->98 100 Contains functionality to inject code into remote processes 10->100 102 Adds a directory exclusion to Windows Defender 10->102 104 4 other signatures 10->104 13 svchost.exe 3 7 10->13         started        18 cmd.exe 1 10->18         started        process6 dnsIp7 66 82.29.67.160, 443, 49724, 49727 NTLGB United Kingdom 13->66 68 grabify.link 104.26.8.202, 443, 49725, 49726 CLOUDFLARENETUS United States 13->68 70 107.174.192.179, 49723, 80 AS-COLOCROSSINGUS United States 13->70 48 C:\Users\user\AppData\Local\...\w32tm.exe, PE32+ 13->48 dropped 50 C:\ProgramData\...\tzutil.exe, PE32+ 13->50 dropped 52 C:\Users\user\AppData\Local\Temp\...\set.bat, PNG 13->52 dropped 106 Benign windows process drops PE files 13->106 108 Creates autostart registry keys with suspicious names 13->108 110 Deletes itself after installation 13->110 112 Searches for specific processes (likely to inject) 13->112 20 tzutil.exe 7 4 13->20         started        25 w32tm.exe 6 13->25         started        27 cmd.exe 1 13->27         started        114 Adds a directory exclusion to Windows Defender 18->114 29 powershell.exe 23 18->29         started        31 conhost.exe 18->31         started        33 WmiPrvSE.exe 18->33         started        file8 signatures9 process10 dnsIp11 60 104.168.28.10, 49731, 49734, 49737 AS-COLOCROSSINGUS United States 20->60 62 127.0.0.1 unknown unknown 20->62 46 C:\Windows\Temp46soACf_8412.sys, PE32+ 20->46 dropped 82 Query firmware table information (likely to detect VMs) 20->82 84 Adds a directory exclusion to Windows Defender 20->84 86 Sample is not signed and drops a device driver 20->86 88 Found direct / indirect Syscall (likely to bypass EDR) 20->88 35 powershell.exe 23 20->35         started        38 powershell.exe 23 20->38         started        64 edge.geo.kaspersky.com 4.28.136.57, 443, 49762, 49768 LEVEL3US United States 25->64 90 Multi AV Scanner detection for dropped file 25->90 92 Creates HTML files with .exe extension (expired dropper behavior) 25->92 94 Tries to evade analysis by execution special instruction (VM detection) 25->94 40 conhost.exe 27->40         started        96 Loading BitLocker PowerShell Module 29->96 file12 signatures13 process14 signatures15 80 Loading BitLocker PowerShell Module 35->80 42 conhost.exe 35->42         started        44 conhost.exe 38->44         started        process16

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.