Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LkIQdqTVXS.exe

Overview

General Information

Sample name:LkIQdqTVXS.exe
renamed because original name is a hash value
Original sample name:38220c00acde8eff7c2fdb50a5e16dd1.exe
Analysis ID:1471373
MD5:38220c00acde8eff7c2fdb50a5e16dd1
SHA1:2dd1a2e195e95a45d3677f3032188c086a731f7f
SHA256:55ed26b6f299b040e0378f25b4c2d5acc85af412ee7d4c10b95297e43ed4d6bc
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected EXE embedded in BAT file
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • LkIQdqTVXS.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\LkIQdqTVXS.exe" MD5: 38220C00ACDE8EFF7C2FDB50A5E16DD1)
    • powershell.exe (PID: 7540 cmdline: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7756 cmdline: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\677b00078d834750b687d58f584bec52'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7916 cmdline: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8068 cmdline: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\JuMXGqLRKI.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rVzBEyDXVq.exe (PID: 7184 cmdline: "C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe" MD5: FF675CB915A1BFBC7257942B2B247CA8)
    • WerFault.exe (PID: 5444 cmdline: C:\Windows\system32\WerFault.exe -u -p 7512 -s 836 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "89.23.96.98:1912", "Bot Id": "Sims", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
LkIQdqTVXS.exeJoeSecurity_EXEembeddedinBATfileYara detected EXE embedded in BAT fileJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000000A.00000000.1789181636.0000000000632000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.1931177967.0000024BF8400000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0000000A.00000002.1964737476.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Process Memory Space: LkIQdqTVXS.exe PID: 7512JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 2 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    10.0.rVzBEyDXVq.exe.630000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'", CommandLine: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LkIQdqTVXS.exe", ParentImage: C:\Users\user\Desktop\LkIQdqTVXS.exe, ParentProcessId: 7512, ParentProcessName: LkIQdqTVXS.exe, ProcessCommandLine: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'", ProcessId: 7540, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'", CommandLine: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LkIQdqTVXS.exe", ParentImage: C:\Users\user\Desktop\LkIQdqTVXS.exe, ParentProcessId: 7512, ParentProcessName: LkIQdqTVXS.exe, ProcessCommandLine: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'", ProcessId: 7540, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'", CommandLine: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LkIQdqTVXS.exe", ParentImage: C:\Users\user\Desktop\LkIQdqTVXS.exe, ParentProcessId: 7512, ParentProcessName: LkIQdqTVXS.exe, ProcessCommandLine: "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'", ProcessId: 7540, ProcessName: powershell.exe

                      Snort Signatures

                      Timestamp:07/11/24-10:52:13.117478
                      SID:2046045
                      Source Port:49731
                      Destination Port:1912
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:07/11/24-10:52:13.117478
                      SID:2043231
                      Source Port:49731
                      Destination Port:1912
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:07/11/24-10:52:13.361215
                      SID:2043234
                      Source Port:1912
                      Destination Port:49731
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "89.23.96.98:1912", "Bot Id": "Sims", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeReversingLabs: Detection: 76%
                      Multi AV Scanner detection for submitted file
                      Source: LkIQdqTVXS.exeReversingLabs: Detection: 44%
                      Source: LkIQdqTVXS.exeVirustotal: Detection: 41%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeJoe Sandbox ML: detected
                      Source: LkIQdqTVXS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: D:\nJUFUdfds\ConsoleApp1\Game\bin\Release\net8.0\win-x64\native\Game.pdb source: LkIQdqTVXS.exe
                      Source: Binary string: D:\nJUFUdfds\ConsoleApp1\Game\bin\Release\net8.0\win-x64\native\Game.pdbyy: source: LkIQdqTVXS.exe
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then push rbx0_2_00007FF76E3AEF20
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then push rbx0_2_00007FF76E322154
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then push rsi0_2_00007FF76E3AF030
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then push rbx0_2_00007FF76E3AF030
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then push rbx0_2_00007FF76E3AF030
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then push rbx0_2_00007FF76E322154
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then push rbx0_2_00007FF76E429EE0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF76E3AEB80
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF76E3AEB80
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF76E3AEB80
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF76E3ADC90
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then push r140_2_00007FF76E440CF0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF76E4487B0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF76E3AF2A0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then push rsi0_2_00007FF76E3AF2A0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 4x nop then push rdi0_2_00007FF76E3AF2A0

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49731 -> 89.23.96.98:1912
                      Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49731 -> 89.23.96.98:1912
                      Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 89.23.96.98:1912 -> 192.168.2.4:49731
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 89.23.96.98:1912
                      Source: global trafficTCP traffic: 192.168.2.4:49731 -> 89.23.96.98:1912
                      Source: Joe Sandbox ViewASN Name: MAXITEL-ASRU MAXITEL-ASRU
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.96.98
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: LkIQdqTVXS.exe, LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: LkIQdqTVXS.exeString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: LkIQdqTVXS.exeString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16V
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                      Source: Amcache.hve.0.drString found in binary or memory: http://upx.sf.net
                      Source: LkIQdqTVXS.exeString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
                      Source: LkIQdqTVXS.exeString found in binary or memory: https://aka.ms/dotnet-warnings/
                      Source: LkIQdqTVXS.exeString found in binary or memory: https://aka.ms/nativeaot-c
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
                      Source: LkIQdqTVXS.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
                      Source: LkIQdqTVXS.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityy
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931177967.0000024BF8400000.00000004.00001000.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000000.1789181636.0000000000632000.00000002.00000001.01000000.00000005.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe.0.drString found in binary or memory: https://api.ip.sb/ip
                      Source: LkIQdqTVXS.exeString found in binary or memory: https://github.com/dotnet/runtime
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E339DD00_2_00007FF76E339DD0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3516E00_2_00007FF76E3516E0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3D70000_2_00007FF76E3D7000
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3470A00_2_00007FF76E3470A0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E340DF00_2_00007FF76E340DF0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E352E000_2_00007FF76E352E00
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E35DDB00_2_00007FF76E35DDB0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E328E240_2_00007FF76E328E24
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E330F000_2_00007FF76E330F00
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E338B600_2_00007FF76E338B60
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E328C800_2_00007FF76E328C80
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3549F00_2_00007FF76E3549F0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3508600_2_00007FF76E350860
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3408440_2_00007FF76E340844
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E33F3300_2_00007FF76E33F330
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3324900_2_00007FF76E332490
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3374E00_2_00007FF76E3374E0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3274B00_2_00007FF76E3274B0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3331E00_2_00007FF76E3331E0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E43F1E00_2_00007FF76E43F1E0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3472800_2_00007FF76E347280
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E34B2E00_2_00007FF76E34B2E0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E32B3100_2_00007FF76E32B310
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeCode function: 10_2_0110DC7410_2_0110DC74
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: String function: 00007FF76E32CC30 appears 63 times
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7512 -s 836
                      Source: LkIQdqTVXS.exeBinary or memory string: OriginalFilename vs LkIQdqTVXS.exe
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931983049.00007FF76E668000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGame.dll* vs LkIQdqTVXS.exe
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931177967.0000024BF8400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs LkIQdqTVXS.exe
                      Source: LkIQdqTVXS.exeBinary or memory string: OriginalFilenameGame.dll* vs LkIQdqTVXS.exe
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/24@0/1
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3322C0 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,0_2_00007FF76E3322C0
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeFile created: C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461bJump to behavior
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7512
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4ue05rf.1h4.ps1Jump to behavior
                      Source: LkIQdqTVXS.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: LkIQdqTVXS.exeReversingLabs: Detection: 44%
                      Source: LkIQdqTVXS.exeVirustotal: Detection: 41%
                      Source: LkIQdqTVXS.exeString found in binary or memory: GGJdaCgA3AWl0AAAAAIMACQNBBDcBaXQAAAAAgwBvBEEEOAEU4QAAAACGGJdaCgA5AdjiAAAAAMYAY1YSBDkB9OIAAAAAlgCLCx8EPAE02gAAAACWAGcyLAQ/AdDaAAAAA
                      Source: unknownProcess created: C:\Users\user\Desktop\LkIQdqTVXS.exe "C:\Users\user\Desktop\LkIQdqTVXS.exe"
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\677b00078d834750b687d58f584bec52'"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe'"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\JuMXGqLRKI.exe'"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe "C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe"
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7512 -s 836
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\677b00078d834750b687d58f584bec52'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\JuMXGqLRKI.exe'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe "C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: dwrite.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: msvcp140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: rstrtmgr.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: LkIQdqTVXS.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: LkIQdqTVXS.exeStatic file information: File size 2538496 > 1048576
                      Source: LkIQdqTVXS.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x12c200
                      Source: LkIQdqTVXS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: LkIQdqTVXS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: LkIQdqTVXS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: LkIQdqTVXS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: LkIQdqTVXS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: LkIQdqTVXS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: LkIQdqTVXS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: LkIQdqTVXS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: D:\nJUFUdfds\ConsoleApp1\Game\bin\Release\net8.0\win-x64\native\Game.pdb source: LkIQdqTVXS.exe
                      Source: Binary string: D:\nJUFUdfds\ConsoleApp1\Game\bin\Release\net8.0\win-x64\native\Game.pdbyy: source: LkIQdqTVXS.exe
                      Source: LkIQdqTVXS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: LkIQdqTVXS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: LkIQdqTVXS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: LkIQdqTVXS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: LkIQdqTVXS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      Yara detected EXE embedded in BAT file
                      Source: Yara matchFile source: LkIQdqTVXS.exe, type: SAMPLE
                      Source: rVzBEyDXVq.exe.0.drStatic PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                      Source: LkIQdqTVXS.exeStatic PE information: section name: .managed
                      Source: LkIQdqTVXS.exeStatic PE information: section name: hydrated
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3423D7 push rbx; iretd 0_2_00007FF76E3423DA
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeFile created: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeMemory allocated: 24BF3C40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeMemory allocated: FB0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeMemory allocated: 29C0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeMemory allocated: 1010000 memory reserve | memory write watch
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5585Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4197Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7172Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2441Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2687Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6930Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6939Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2624Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWindow / User API: threadDelayed 2364
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWindow / User API: threadDelayed 7248
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-17356
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep count: 5585 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep count: 4197 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 7172 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 2441 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep count: 2687 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep count: 6930 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep count: 6939 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep count: 2624 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe TID: 7828Thread sleep time: -35048813740048126s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E331EF0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,0_2_00007FF76E331EF0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeThread delayed: delay time: 922337203685477
                      Source: Amcache.hve.0.drBinary or memory string: VMware
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-vmxh
                      Source: LkIQdqTVXS.exeBinary or memory string: 5'C:\WINDOWS\system32\drivers\vmmouse.sysy
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
                      Source: LkIQdqTVXS.exeBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
                      Source: Amcache.hve.0.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: LkIQdqTVXS.exeBinary or memory string: vmtoolsd.exei
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtrayh
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: !C:\WINDOWS\system32\vboxmrxnp.dll
                      Source: LkIQdqTVXS.exeBinary or memory string: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools@
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: #C:\WINDOWS\system32\vboxservice.exe
                      Source: Amcache.hve.0.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-vmx
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuserh
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-vmx`Rn
                      Source: LkIQdqTVXS.exeBinary or memory string: vmwareuser.exe
                      Source: Amcache.hve.0.drBinary or memory string: vmci.sys
                      Source: LkIQdqTVXS.exeBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: LkIQdqTVXS.exeBinary or memory string: -#C:\WINDOWS\system32\vboxservice.exey
                      Source: LkIQdqTVXS.exeBinary or memory string: )!C:\WINDOWS\system32\vboxmrxnp.dllY
                      Source: LkIQdqTVXS.exeBinary or memory string: C:\WINDOWS\system32\vboxhook.dll
                      Source: LkIQdqTVXS.exeBinary or memory string: ' C:\WINDOWS\system32\vboxhook.dlli
                      Source: Amcache.hve.0.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.0.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.0.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.0.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: LkIQdqTVXS.exeBinary or memory string: Q5HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware ToolsY
                      Source: Amcache.hve.0.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.0.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.0.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: C:\WINDOWS\system32\vboxtray.exe
                      Source: LkIQdqTVXS.exeBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: Amcache.hve.0.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.0.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.0.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: vboxservice.exe
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: LkIQdqTVXS.exeBinary or memory string: C:\WINDOWS\system32\vboxmrxnp.dll
                      Source: Amcache.hve.0.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: LkIQdqTVXS.exe, LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: vboxtray.exe
                      Source: Amcache.hve.0.drBinary or memory string: VMware Virtual USB Mouse
                      Source: LkIQdqTVXS.exeBinary or memory string: vmwaretray.exe
                      Source: Amcache.hve.0.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.0.drBinary or memory string: VMware, Inc.
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: vmtoolsd.exe
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
                      Source: Amcache.hve.0.drBinary or memory string: VMware20,1hbin@
                      Source: LkIQdqTVXS.exeBinary or memory string: C:\WINDOWS\system32\vboxtray.exe
                      Source: Amcache.hve.0.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.0.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: LkIQdqTVXS.exeBinary or memory string: 9)C:\WINDOWS\system32\drivers\VBoxMouse.sysY
                      Source: Amcache.hve.0.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: LkIQdqTVXS.exeBinary or memory string: ' C:\WINDOWS\system32\vboxtray.exei
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: C:\WINDOWS\system32\vboxhook.dll
                      Source: LkIQdqTVXS.exeBinary or memory string: vboxservice.exey
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
                      Source: Amcache.hve.0.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.0.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964126187.0000000000E03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
                      Source: Amcache.hve.0.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.0.drBinary or memory string: vmci.syshbin`
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxserviceh
                      Source: Amcache.hve.0.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: LkIQdqTVXS.exeBinary or memory string: vboxtray.exei
                      Source: Amcache.hve.0.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: 5HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Amcache.hve.0.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                      Source: LkIQdqTVXS.exeBinary or memory string: C:\WINDOWS\system32\vboxservice.exe
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: LkIQdqTVXS.exeBinary or memory string: vmware-vmx.exe
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretrayh
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                      Source: LkIQdqTVXS.exe, 00000000.00000002.1931080353.0000024BF8003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsdh
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E325180 RtlAddVectoredExceptionHandler,RaiseFailFastException,0_2_00007FF76E325180
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3814CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF76E3814CC
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'"
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\677b00078d834750b687d58f584bec52'"
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe'"
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\JuMXGqLRKI.exe'"
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\677b00078d834750b687d58f584bec52'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\JuMXGqLRKI.exe'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\677b00078d834750b687d58f584bec52'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\JuMXGqLRKI.exe'"Jump to behavior
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeProcess created: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe "C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\Desktop\LkIQdqTVXS.exeCode function: 0_2_00007FF76E3810EC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF76E3810EC
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: Amcache.hve.0.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.0.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.0.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1980791241.0000000006A26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.0.drBinary or memory string: MsMpEng.exe
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 10.0.rVzBEyDXVq.exe.630000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000000.1789181636.0000000000632000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1931177967.0000024BF8400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: LkIQdqTVXS.exe PID: 7512, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rVzBEyDXVq.exe PID: 7184, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe, type: DROPPED
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1974997348.0000000005A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\**
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1974997348.0000000005A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\**
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1976868263.0000000005AE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json\*r
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1974997348.0000000005A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets\*-.
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1976868263.0000000005AE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json\*r
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1974997348.0000000005A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets\*-.
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1974997348.0000000005A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\*
                      Source: rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                      Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                      Source: Yara matchFile source: 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1964737476.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rVzBEyDXVq.exe PID: 7184, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 10.0.rVzBEyDXVq.exe.630000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000000.1789181636.0000000000632000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1931177967.0000024BF8400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: LkIQdqTVXS.exe PID: 7512, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rVzBEyDXVq.exe PID: 7184, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      Access Token Manipulation                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		Boot or Logon Initialization Scripts11
                      Process Injection                      		11
                      Disable or Modify Tools                      		LSASS Memory331
                      Security Software Discovery                      		Remote Desktop Protocol3
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Native API                      		Logon Script (Windows)1
                      DLL Side-Loading                      		241
                      Virtualization/Sandbox Evasion                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Access Token Manipulation                      		NTDS241
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      Process Injection                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Deobfuscate/Decode Files or Information                      		Cached Domain Credentials115
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                      Obfuscated Files or Information                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Timestomp                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1471373 Sample: LkIQdqTVXS.exe Startdate: 11/07/2024 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 7 LkIQdqTVXS.exe 4 2->7         started        process3 file4 32 C:\Users\user\AppData\...\rVzBEyDXVq.exe, PE32 7->32 dropped 44 Adds a directory exclusion to Windows Defender 7->44 11 rVzBEyDXVq.exe 7->11         started        15 powershell.exe 23 7->15         started        17 powershell.exe 23 7->17         started        19 3 other processes 7->19 signatures5 process6 dnsIp7 34 89.23.96.98, 1912, 49731 MAXITEL-ASRU Russian Federation 11->34 46 Multi AV Scanner detection for dropped file 11->46 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->48 50 Machine Learning detection for dropped file 11->50 54 4 other signatures 11->54 52 Loading BitLocker PowerShell Module 15->52 22 conhost.exe 15->22         started        24 conhost.exe 17->24         started        30 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->30 dropped 26 conhost.exe 19->26         started        28 conhost.exe 19->28         started        file8 signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      LkIQdqTVXS.exe45%ReversingLabsWin64.Spyware.Redline
                      LkIQdqTVXS.exe42%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe76%ReversingLabsByteCode-MSIL.Ransomware.RedLine

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                      http://tempuri.org/Entity/Id23ResponseD0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                      http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                      http://tempuri.org/Entity/Id90%URL Reputationsafe
                      http://tempuri.org/Entity/Id90%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                      http://tempuri.org/Entity/Id80%URL Reputationsafe
                      http://tempuri.org/Entity/Id50%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                      http://tempuri.org/Entity/Id40%URL Reputationsafe
                      http://tempuri.org/Entity/Id70%URL Reputationsafe
                      http://tempuri.org/Entity/Id60%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                      http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                      http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                      http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                      http://tempuri.org/Entity/Id1ResponseD0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                      http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id200%URL Reputationsafe
                      http://tempuri.org/Entity/Id210%URL Reputationsafe
                      http://tempuri.org/Entity/Id220%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                      http://tempuri.org/Entity/Id230%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                      http://tempuri.org/Entity/Id240%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                      http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                      http://tempuri.org/Entity/Id100%URL Reputationsafe
                      http://tempuri.org/Entity/Id110%URL Reputationsafe
                      http://tempuri.org/Entity/Id120%URL Reputationsafe
                      http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id140%URL Reputationsafe
                      http://tempuri.org/Entity/Id150%URL Reputationsafe
                      http://tempuri.org/Entity/Id160%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                      http://tempuri.org/Entity/Id170%URL Reputationsafe
                      http://tempuri.org/Entity/Id180%URL Reputationsafe
                      http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id190%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                      http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                      http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                      https://aka.ms/nativeaot-compatibility0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                      https://aka.ms/nativeaot-compatibilityy0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                      https://aka.ms/nativeaot-c0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id23ResponseDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id12ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id2ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WraprVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id9rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id8rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id6ResponseDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BBD000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PreparerVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id4rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id7rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id6rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id19ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidYLkIQdqTVXS.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenserVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssuerVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidLkIQdqTVXS.exe, LkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencerVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id13ResponseDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/nativeaot-compatibilityLkIQdqTVXS.exe, 00000000.00000002.1931656383.00007FF76E44B000.00000004.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsatrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id15ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id5ResponseDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLkIQdqTVXS.exefalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id6ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BBD000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ip.sb/ipLkIQdqTVXS.exe, 00000000.00000002.1931177967.0000024BF8400000.00000004.00001000.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000000.1789181636.0000000000632000.00000002.00000001.01000000.00000005.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/scrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponseDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id9ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://aka.ms/nativeaot-compatibilityyLkIQdqTVXS.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id20rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id21rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id22rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id23rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id24rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssuerVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id24ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedrVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegorVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponseDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressingrVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://aka.ms/nativeaot-compatibilityYLkIQdqTVXS.exefalse
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssuerVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trustrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id11rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id16ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id13rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id14rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id16rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/NoncerVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id17rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id18rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id19rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsrVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id11ResponseDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponserVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0rVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/nativeaot-cLkIQdqTVXS.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id17ResponseDrVzBEyDXVq.exe, 0000000A.00000002.1964737476.0000000002AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/envelope/rVzBEyDXVq.exe, 0000000A.00000002.1964737476.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        89.23.96.98
                        		unknownRussian Federation
                        		48687MAXITEL-ASRUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1471373
                        Start date and time:2024-07-11 10:51:07 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 7s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:18
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:LkIQdqTVXS.exe
                        renamed because original name is a hash value
                        Original Sample Name:38220c00acde8eff7c2fdb50a5e16dd1.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@17/24@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 52.168.117.173
                        • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        04:51:58API Interceptor57x Sleep call for process: powershell.exe modified
                        04:52:20API Interceptor60x Sleep call for process: rVzBEyDXVq.exe modified
                        04:52:23API Interceptor1x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        MAXITEL-ASRUfile.exeGet hashmaliciousAmadeyBrowse
                        • 89.23.103.42
                        Launcher.exeGet hashmaliciousRedLineBrowse
                        • 89.23.101.114
                        Dn7TBzLtf5.exeGet hashmaliciousRHADAMANTHYSBrowse
                        • 89.23.103.235
                        a6zbacl43h.exeGet hashmaliciousDCRatBrowse
                        • 89.23.97.228
                        https://5rve2bms.r.eu-west-1.awstrack.me/L0/https:%2F%2Fm.exactag.com%2Fai.aspx%3Ftc=d9279613bc40b07205bbd26a23a8d2e6b6b4f9%26url=%2568%2574%2574%2570%2525%2533%2541kenfong.com%252Fwinner%252F54799%252F%252FbGF3cmVuY2UuZnJhbmNlQGNhYmluZXR3b3Jrc2dyb3VwLmNvbQ==/1/0102019036933333-15818f27-6536-4f7c-94ff-9a04497bf567-000000/vIL5T4ixe-4lQyI6m0NlGqCl204=379Get hashmaliciousHTMLPhisherBrowse
                        • 89.23.108.32
                        D4FCA29AB627CC8EACE04367A04CC9919BFE2481523B2.exeGet hashmaliciousRedLineBrowse
                        • 89.23.97.100
                        v6O2h78Mcp.exeGet hashmaliciousRedLineBrowse
                        • 89.23.99.151
                        P8KA32mz7j.exeGet hashmaliciousRedLineBrowse
                        • 89.23.107.91
                        Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                        • 89.23.96.113
                        uuVg5f1Gdn.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                        • 89.23.98.112

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LkIQdqTVXS.exe_775ac447131bacac269bffd2a624682a3223612_8c9018df_0b416a27-d8ec-4c4c-9ab0-eb9d048215d8\Report.wer

                        Download File
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.8444533930783782
                        Encrypted:false
                        SSDEEP:96:NzFBud3LoTZMJFsvWgq3vMCqiDSpQXIDcQ3c6l8cECcw3txnQ+HbHg/opAnQVdMQ:h7aLoaFBYK0J6oRjX2zuiFkZ24lO8Lx
                        MD5:64234D2B5F8303110D6A509609DF6738
                        SHA1:7AFE5A58B35E7DA3015AA432F56DD824A49655D9
                        SHA-256:94FB5824E8ADB4EF6E242AA65BFD280775C41206C50ECAA061CB7BD366C9408D
                        SHA-512:9124E03B45918207B8817338AC908E4EA0D7D182D70B59C935F51501338166D4D59E493F168449FA6DD11F1A755BA3E13B786858CC64969165D45CE1E96EA028
                        Malicious:true
                        Reputation:low
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.1.6.1.5.3.0.3.7.8.4.9.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.5.1.6.1.5.3.0.9.7.2.2.4.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.4.1.6.a.2.7.-.d.8.e.c.-.4.c.4.c.-.9.a.b.0.-.e.b.9.d.0.4.8.2.1.5.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.e.a.7.d.a.c.-.a.f.b.1.-.4.5.c.9.-.8.0.c.6.-.9.e.0.b.1.8.2.e.9.3.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.L.k.I.Q.d.q.T.V.X.S...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.G.a.m.e...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.5.8.-.0.0.0.1.-.0.0.1.4.-.7.b.a.2.-.e.3.9.5.6.f.d.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.8.4.0.0.d.9.5.7.a.5.1.8.1.c.c.a.f.e.9.f.a.7.6.b.6.c.5.d.1.7.a.0.0.0.0.0.0.0.0.!.0.0.0.0.2.d.d.1.a.2.e.1.9.5.e.9.5.a.4.5.d.3.6.7.7.f.3.0.3.2.1.8.8.c.0.8.6.a.7.3.1.f.7.f.!.L.k.I.Q.d.q.T.V.X.S...e.x.e.....T.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7D8.tmp.dmp

                        Download File
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Thu Jul 11 08:52:10 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):108542
                        Entropy (8bit):1.3873914409716386
                        Encrypted:false
                        SSDEEP:384:34eOQs8DiGt+lmS7k8SYllTPvCgLvgkbL7:I3QsVkugkj
                        MD5:EE762AC8B4185DC85ECC42BACF9C8DE4
                        SHA1:0EBE937E1225B1D8599E4931632D8EB98D48248B
                        SHA-256:E981DB2A3432DE3CCAF0820301699CF24FD500C6F3D7F070C520C0F9F5D0501A
                        SHA-512:7B390B52022DE8856206767C2010DB776CE17E11958FAE36002309153E8B3A221D6815D92AE8E7BB9ED2D6AD58E56F305301A034DE75C258FAB9A0B1E257A71C
                        Malicious:false
                        Reputation:low
                        Preview:MDMP..a..... .......:..f............T...............\............C..........T.......8...........T............!..............L...........8...............................................................................eJ..............Lw......................T.......X...-..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8D3.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8634
                        Entropy (8bit):3.6999769711565516
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJ7N7vB6Y9WUxG6gmfXHBHpDG89bXOHfY9m:R6lXJxTB6YIUxG6gmfXLX+ff
                        MD5:562ED9AB6D839395428FBD1ED7D28F9B
                        SHA1:D78BE04D6607E41EEF7821FFE76B4C5765A79B34
                        SHA-256:ECB778E8E78FE82AF901B04A63BA6CAD59A39A9510E6536F0C2F2668C6B2D7B8
                        SHA-512:B92AD6A6D8AA7176C5919C7C454C0F7DEF6875D693584C4F3C18BD1EC8C268AD30F820605779F6AD8C70280B96F6495B12F70C07E9850EFE886BE80E9FAF4E9F
                        Malicious:false
                        Reputation:low
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.1.2.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC912.tmp.xml

                        Download File
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4815
                        Entropy (8bit):4.4757556119052735
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsrJg771I9OdrWpW8VYFYm8M4JkjF2yq8va4rvY68FEd:uIjfFI7Vda7V5JhWnrvzWEd
                        MD5:36BCF4EC195C0FD9052595D3A162610B
                        SHA1:068CB33248A36CCFDFD0B69565126CE77C2AE472
                        SHA-256:3CCD94C6A2C3E0B8E3597D50477E9AE59D271EE9D29F775B77763A91D3B90AE4
                        SHA-512:5195C97895CBE6DEF82DF1192B73033AEAD681AD4B462A97FA98AC53CB2CE5CD2445B0FA96C56343C57B2B4E286DD73FEB815237F7DE8E93CADCB27A09D603B3
                        Malicious:false
                        Reputation:low
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="406074" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rVzBEyDXVq.exe.log

                        Download File
                        Process:C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):3094
                        Entropy (8bit):5.33145931749415
                        Encrypted:false
                        SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                        MD5:2A56468A7C0F324A42EA599BF0511FAF
                        SHA1:404B343A86EDEDF5B908D7359EB8AA957D1D4333
                        SHA-256:6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
                        SHA-512:19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:modified
                        Size (bytes):64
                        Entropy (8bit):0.34726597513537405
                        Encrypted:false
                        SSDEEP:3:Nlll:Nll
                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                        Malicious:false
                        Preview:@...e...........................................................

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cte32ask.wff.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0i5kpx1.dok.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnbo1vcw.p1c.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1ojn1al.nml.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idnnybs4.420.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5vgz0kt.rui.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwdllaqo.tmf.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4ue05rf.1h4.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldrdldoc.21o.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogmpqfba.ea4.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfnnetvo.btq.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rn1cjycc.ucz.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sateyemt.mia.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tllam1co.jol.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_toeivqer.txb.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zaza0vun.3yb.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe

                        Download File
                        Process:C:\Users\user\Desktop\LkIQdqTVXS.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):192000
                        Entropy (8bit):6.1607879425386445
                        Encrypted:false
                        SSDEEP:3072:XcZqf7D341p/0+mAMkywUQQ0gnvB1fA0PuTVAtkxzM3R9:XcZqf7DIvn6jDB1fA0GTV8kq
                        MD5:FF675CB915A1BFBC7257942B2B247CA8
                        SHA1:ED0BE12CE97E6EEDC730CD5560B9B018A173C0C7
                        SHA-256:A06511DFB2BF3C6E5EA45D38510E3BC49A282AC93D01C40A4D72511CC51F101D
                        SHA-512:23B08439330B9CEBF5890827F9425CE5C9B6C469014B7924DF09C7F4DB55E48840BA181AE1BA8E3C404A70B6E8C6DA47FD0E1CC4497D1AD01DFF4DEA6878B2C9
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe, Author: Joe Security
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 76%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. .......................`............@.................................t...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H....... ...T...........(w..............................................a.u.t.o.f.i.l.l.5.t.Y.W.R.q.a.W.V.o.a.m.h.h.a.m.J.8.W.W.9.y.b.2.l.X.Y.W.x.s.Z.X.Q.K.a.W.J.u.Z.W.p.k.Z.m.p.t.b.W.t.w.Y.2.5.s.c.G.V.i.a.2.x.t.b.m.t.v.Z.W.9.p.a.G.9.m.Z.W.N.8.V.H.J.v.b.m.x.p.b.m.s.K.a.m.J.k.Y.W.9.j.b.m.V.p.a.W.l.u.b.W.p.i.a.m.x.n.Y.W.x.o.Y.2.V.s.Z.2.J.l.a.m.1.u.a.W.R.8.T.m.l.m.d.H.l.X.Y.W.x.s.Z.X.Q.K.b.m.t.i.a.W.h.m.Y.m.V.v.Z.2.F.l.Y.W.9.l.a.G.x.l.Z.m.5.r.b.2.R.i.Z.W.Z.n.c.G.d.r.b.m.5.8.T.W.

                        C:\Windows\appcompat\Programs\Amcache.hve

                        Download File
                        Process:C:\Users\user\Desktop\LkIQdqTVXS.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1835008
                        Entropy (8bit):4.466364032744404
                        Encrypted:false
                        SSDEEP:6144:BIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNEdwBCswSbn:CXD94+WlLZMM6YFHG+n
                        MD5:8F8E2498AE33C7C27B5D59E4A74E64A0
                        SHA1:062A37410889152EFBA84A17F89F65CD4981EC87
                        SHA-256:6D84C191C4BB556BB9D83477F14F8A0091DA80CDDC7C4BC4359FC23FB8B1B2E9
                        SHA-512:B6BC8FEC983C2AE7494AB0DC704910887AC05AA1C567BC5A9C0A85B9DA0F79EF350803F98C6AA6B6EA9EF9B9341781F4C67A92C29113B89A88EB6D69EE363E70
                        Malicious:false
                        Preview:regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR?..o...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                        Entropy (8bit):6.502858820557899
                        TrID:
                        • Win64 Executable GUI Net Framework (217006/5) 49.88%
                        • Win64 Executable GUI (202006/5) 46.43%
                        • Win64 Executable (generic) (12005/4) 2.76%
                        • Generic Win/DOS Executable (2004/3) 0.46%
                        • DOS Executable Generic (2002/1) 0.46%
                        File name:LkIQdqTVXS.exe
                        File size:2'538'496 bytes
                        MD5:38220c00acde8eff7c2fdb50a5e16dd1
                        SHA1:2dd1a2e195e95a45d3677f3032188c086a731f7f
                        SHA256:55ed26b6f299b040e0378f25b4c2d5acc85af412ee7d4c10b95297e43ed4d6bc
                        SHA512:9a918e9ca38b78e7d71ae0654c7d17a9f48f9b2041b2578cd9c6a0cfbb03a465bf1b3ec1ad306be4a84e83b617f3e1d9b404eea91621fe2cf3eea4d8e62a1109
                        SSDEEP:24576:MSur0gWM3k1NZFuDGnsObY1UmEtns7bHf1H25vT6/N1k5jZW1uu7rXXb6j9Lfb7m:Tu1Zk1NZFuDwxvT6F6ZTR1uasf
                        TLSH:A4C5282166EA00ADF373DB708FD8B67FC976F5631629A0AB1145C7020B339819E67736
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................S.......S.......S...........................z...c.......c...............c.......................Rich...........

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0x140060a9c
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x140000000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66892157 [Sat Jul 6 10:49:59 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:0
                        File Version Major:6
                        File Version Minor:0
                        Subsystem Version Major:6
                        Subsystem Version Minor:0
                        Import Hash:d3d605c331e2890b595f1b6f88cea64e

                        Entrypoint Preview

                        Instruction
                        dec eax
                        sub esp, 28h
                        call 00007F8B808BB40Ch
                        dec eax
                        add esp, 28h
                        jmp 00007F8B808BAC37h
                        int3
                        int3
                        jmp 00007F8B808BB798h
                        int3
                        int3
                        int3
                        dec eax
                        sub esp, 28h
                        call 00007F8B808BB794h
                        jmp 00007F8B808BADC4h
                        xor eax, eax
                        dec eax
                        add esp, 28h
                        ret
                        int3
                        int3
                        jmp 00007F8B808BADACh
                        int3
                        int3
                        int3
                        dec eax
                        sub esp, 28h
                        dec ebp
                        mov eax, dword ptr [ecx+38h]
                        dec eax
                        mov ecx, edx
                        dec ecx
                        mov edx, ecx
                        call 00007F8B808BADD2h
                        mov eax, 00000001h
                        dec eax
                        add esp, 28h
                        ret
                        int3
                        int3
                        int3
                        inc eax
                        push ebx
                        inc ebp
                        mov ebx, dword ptr [eax]
                        dec eax
                        mov ebx, edx
                        inc ecx
                        and ebx, FFFFFFF8h
                        dec esp
                        mov ecx, ecx
                        inc ecx
                        test byte ptr [eax], 00000004h
                        dec esp
                        mov edx, ecx
                        je 00007F8B808BADD5h
                        inc ecx
                        mov eax, dword ptr [eax+08h]
                        dec ebp
                        arpl word ptr [eax+04h], dx
                        neg eax
                        dec esp
                        add edx, ecx
                        dec eax
                        arpl ax, cx
                        dec esp
                        and edx, ecx
                        dec ecx
                        arpl bx, ax
                        dec edx
                        mov edx, dword ptr [eax+edx]
                        dec eax
                        mov eax, dword ptr [ebx+10h]
                        mov ecx, dword ptr [eax+08h]
                        dec eax
                        mov eax, dword ptr [ebx+08h]
                        test byte ptr [ecx+eax+03h], 0000000Fh
                        je 00007F8B808BADCDh
                        movzx eax, byte ptr [ecx+eax+03h]
                        and eax, FFFFFFF0h
                        dec esp
                        add ecx, eax
                        dec esp
                        xor ecx, edx
                        dec ecx
                        mov ecx, ecx
                        pop ebx
                        jmp 00007F8B808BADD6h
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        nop word ptr [eax+eax+00000000h]
                        dec eax
                        cmp ecx, dword ptr [00000019h]

                        Rich Headers

                        Programming Language:
                        • [IMP] VS2008 SP1 build 30729

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x3349300x54.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3349840x104.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x35b0000x1462.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3480000x12d8c.pdata
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x35d0000x698.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x30f6300x54.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x30f8000x28.rdata
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x30f4f00x140.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20a0000x6a8.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x653c80x654001932fa3a073302c8b1f16ff2438eb2a9False0.45859375data6.658991960427536IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .managed0x670000xc35080xc3600f8e9af7c5614a982c9ea596370163afdFalse0.4612499000319898data6.444725329172588IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        hydrated0x12b0000xdec200x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rdata0x20a0000x12c1ee0x12c200eb2048954b06af67544bb0448d076113False0.3971863936901291data5.850386066458454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x3370000x107880x20001da86d9317957f9f96f61d15ec9c5d27False0.2369384765625data3.627501459635927IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .pdata0x3480000x12d8c0x12e009ac91374a4cedfb9b4136e751ca88cd1False0.5028197433774835data6.113330531877811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .rsrc0x35b0000x14620x1600684b7f02ba14347ecb0cbebaabbf2153False0.3771306818181818data5.321989044551177IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x35d0000x6980x800529f2799cd24d94ae47584d93a212f96False0.4931640625data4.961134139610257IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0x35b0a00x298OpenPGP Public Key0.44879518072289154
                        RT_MANIFEST0x35b3380x112aXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40259444697314517

                        Imports

                        DLLImport
                        ADVAPI32.dllRegOpenKeyExW, RegQueryValueExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, GetTokenInformation, DuplicateTokenEx, OpenThreadToken, RevertToSelf, ImpersonateLoggedOnUser, CheckTokenMembership
                        bcrypt.dllBCryptGenRandom
                        IPHLPAPI.DLLGetNetworkParams, GetPerAdapterInfo, GetAdaptersAddresses
                        KERNEL32.dllTlsSetValue, TlsFree, SetLastError, GetLastError, ExitProcess, FormatMessageW, GetCPInfoExW, GetConsoleMode, GetFileType, WriteFile, WriteConsoleW, GetConsoleOutputCP, GetStdHandle, MultiByteToWideChar, WideCharToMultiByte, CloseHandle, GetExitCodeProcess, CreateProcessW, OpenProcess, K32EnumProcesses, GetProcessId, DuplicateHandle, QueryFullProcessImageNameW, CreatePipe, GetCurrentProcess, GetConsoleCP, CloseThreadpoolIo, RaiseFailFastException, GetTickCount64, GetCurrentThread, WaitForSingleObject, Sleep, DeleteCriticalSection, LocalFree, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, InitializeCriticalSection, InitializeConditionVariable, WaitForMultipleObjectsEx, CreateThreadpoolWait, SetThreadpoolWait, WaitForThreadpoolWaitCallbacks, CloseThreadpoolWait, CreateThreadpoolWork, CloseThreadpoolWork, SubmitThreadpoolWork, QueryPerformanceFrequency, GetFullPathNameW, GetLongPathNameW, LocalAlloc, GetProcAddress, CreateIoCompletionPort, CreateDirectoryW, CreateFileW, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetCurrentDirectoryW, GetFileAttributesExW, GetFileInformationByHandleEx, GetModuleFileNameW, GetOverlappedResult, GetSystemDirectoryW, LoadLibraryExW, SetFileAttributesW, SetFileInformationByHandle, SetFilePointerEx, SetThreadErrorMode, CreateThread, ResumeThread, GetThreadPriority, SetThreadPriority, GetCurrentProcessorNumberEx, SetEvent, ResetEvent, CreateEventExW, GetEnvironmentVariableW, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, GetCurrentThreadId, SuspendThread, GetThreadContext, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, VirtualQuery, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, DebugBreak, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlLookupFunctionEntry, InitializeSListHead, GetCurrentProcessId
                        ole32.dllCoInitializeEx, CoUninitialize, CoCreateGuid, CoTaskMemFree, CoWaitForMultipleHandles, CoTaskMemAlloc, CoGetApartmentType
                        api-ms-win-crt-heap-l1-1-0.dllcalloc, malloc, _set_new_mode, _callnewh, free
                        api-ms-win-crt-math-l1-1-0.dllceil, __setusermatherr
                        api-ms-win-crt-string-l1-1-0.dllwcsncmp, strcmp, strcpy_s, _stricmp
                        api-ms-win-crt-convert-l1-1-0.dllstrtoull
                        api-ms-win-crt-runtime-l1-1-0.dllabort, _initialize_onexit_table, _get_initial_wide_environment, terminate, _seh_filter_exe, _set_app_type, _configure_wide_argv, _initialize_wide_environment, _crt_atexit, _initterm, _initterm_e, exit, _exit, __p___argc, __p___wargv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _register_onexit_function
                        api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
                        api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                        Exports

                        NameOrdinalAddress
                        DotNetRuntimeDebugHeader10x1403383a8

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        07/11/24-10:52:13.117478TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497311912192.168.2.489.23.96.98
                        07/11/24-10:52:13.117478TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497311912192.168.2.489.23.96.98
                        07/11/24-10:52:13.361215TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response19124973189.23.96.98192.168.2.4

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 11, 2024 10:52:12.335494995 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:12.340310097 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:12.340887070 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:12.355372906 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:12.360192060 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:13.081217051 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:13.117477894 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:13.127612114 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:13.361215115 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:13.404197931 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:18.411506891 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:18.416599989 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:18.654437065 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:18.654454947 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:18.654474974 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:18.654486895 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:18.654496908 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:18.654508114 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:18.654510021 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:18.654586077 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:18.823833942 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:18.831244946 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.067354918 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.096532106 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:19.101511955 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.337151051 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.388571978 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:19.431122065 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:19.436265945 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436281919 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436290979 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436311960 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436321020 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436328888 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436340094 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436342001 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:19.436357021 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436367035 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436376095 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436384916 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.436407089 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:19.441309929 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.441325903 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.441345930 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.441355944 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.441364050 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.441374063 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.441394091 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.824142933 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:19.838468075 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:19.843708992 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:21.001051903 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:21.003582001 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:21.003626108 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:21.004060984 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:21.004098892 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:21.469521046 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:21.474580050 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:21.474605083 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:21.474616051 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:21.875195026 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:21.877706051 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:21.882664919 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.120593071 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.169799089 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.284631968 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.289702892 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.289815903 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.289901972 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.289932966 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.289961100 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.289962053 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.289989948 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290008068 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.290019989 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290050030 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.290074110 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.290082932 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290115118 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290143013 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290169954 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290196896 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290210962 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.290225983 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290277004 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290281057 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.290281057 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.290304899 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290332079 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.290333986 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290364027 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.290365934 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.290399075 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.290433884 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.301836014 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.302063942 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.302278042 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307126045 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307140112 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307179928 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307219028 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307285070 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307295084 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307305098 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307315111 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307326078 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307333946 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307334900 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307352066 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307367086 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307373047 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307382107 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307405949 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307435036 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307465076 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307475090 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307487965 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307513952 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307549000 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307575941 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307585955 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307598114 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307652950 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307681084 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307692051 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307703018 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307720900 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307728052 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307730913 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307740927 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307753086 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307779074 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.307858944 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307868958 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307878971 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307888031 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307951927 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307960987 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.307971001 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308037996 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308047056 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308057070 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308125973 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308135986 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308146000 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308180094 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308188915 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308198929 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308362007 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308371067 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308379889 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308506012 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308515072 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308763981 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308774948 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308784008 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308800936 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308809996 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308819056 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308826923 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.308856964 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.308968067 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.309115887 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.311660051 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312416077 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312458038 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312467098 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312475920 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312612057 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312623978 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312700033 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312709093 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312716961 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312778950 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312788963 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312798023 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312900066 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312910080 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312917948 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312927008 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312937975 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.312947989 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.313935995 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314064026 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314140081 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.314182997 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314193964 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314202070 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314239979 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314240932 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.314305067 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314402103 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314410925 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314471960 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314546108 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314623117 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314662933 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314742088 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314821959 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314834118 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314841986 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314879894 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314892054 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.314991951 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315002918 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315049887 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315141916 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315150976 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315159082 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315188885 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315200090 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315315962 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315339088 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315350056 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315367937 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315388918 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315398932 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315551996 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315562010 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315570116 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315578938 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315587997 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315597057 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315606117 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315615892 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315623999 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315689087 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315700054 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315711021 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315718889 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315782070 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.315790892 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.316535950 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.316632032 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.319261074 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319303989 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319382906 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319438934 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319448948 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319489956 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319550991 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319560051 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319600105 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319611073 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319645882 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319694996 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319706917 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319757938 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319766998 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319771051 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319775105 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319803953 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319807053 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319953918 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319963932 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319967031 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319971085 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319973946 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.319977045 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320039988 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320049047 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320056915 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320065022 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320074081 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320085049 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320290089 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320297956 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320337057 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320347071 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320353985 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320385933 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320394993 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320427895 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320439100 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320446968 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320456028 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320465088 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320491076 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320501089 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320509911 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320528984 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320538044 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320641041 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.320679903 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321681976 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321693897 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321702003 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321706057 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321716070 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321733952 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321743011 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321751118 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321759939 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321769953 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321778059 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321788073 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321795940 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321815014 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321824074 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321901083 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321911097 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321918964 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321928978 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321985006 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.321995020 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322002888 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322078943 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322097063 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322129965 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322139025 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322148085 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322421074 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322431087 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322442055 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322765112 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322774887 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.322782040 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323359013 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323369980 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323378086 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323381901 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323391914 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323401928 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323410988 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323420048 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323430061 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323438883 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323456049 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323465109 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323473930 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323482037 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323492050 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323501110 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323509932 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323520899 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323529959 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323539972 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323548079 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323555946 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323565960 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323574066 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.323584080 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.352217913 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.352467060 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.352467060 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.352628946 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.358160973 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358175993 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358298063 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358409882 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358421087 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358428955 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358511925 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358530045 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358540058 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358549118 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358557940 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358566999 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358576059 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358584881 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358593941 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358746052 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358757973 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358776093 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358860016 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358870029 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358880043 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358952045 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358961105 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358971119 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358979940 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358989954 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.358999014 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359008074 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359016895 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359025955 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359112978 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359122038 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359129906 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359427929 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359437943 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359446049 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359524012 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359534025 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359540939 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359549999 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359559059 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359683037 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.359693050 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360308886 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360326052 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360336065 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360346079 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360356092 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360366106 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360440016 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360450983 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360460043 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360467911 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360477924 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360505104 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360605955 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360615969 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360923052 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360933065 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360940933 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360950947 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.360960007 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361063004 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361083031 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361092091 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361102104 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361238956 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361248970 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361351967 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361362934 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361371040 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361381054 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361391068 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361402035 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361411095 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361493111 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361502886 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361510992 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361521959 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361531973 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361784935 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361794949 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361803055 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361814022 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361818075 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361825943 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361835003 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361948967 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.361960888 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.362104893 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.362116098 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.362123966 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.362133980 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.362143040 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.362268925 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.362281084 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.362289906 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.362307072 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.362317085 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.363519907 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.363661051 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.363970041 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.363981009 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.364495993 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.364506006 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.364515066 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.364531994 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.364542007 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.364747047 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368544102 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368638039 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368648052 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368657112 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368720055 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368731022 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368738890 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368838072 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368846893 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368855953 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368910074 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368920088 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368979931 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368989944 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.368999004 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369009018 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369137049 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369147062 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369232893 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369242907 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369251966 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369282007 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369292021 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369301081 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369366884 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369376898 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369385958 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369436026 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369445086 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369453907 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369498014 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369507074 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369515896 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369576931 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369586945 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369595051 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369651079 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369659901 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369668961 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369779110 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369787931 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369796991 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369857073 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369865894 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369874954 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369930983 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369940042 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.369949102 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.370033026 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.370042086 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.370050907 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.370179892 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.370189905 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.372523069 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.372668982 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.377543926 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.377561092 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.377644062 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.377655029 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.377763033 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.377773046 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.377840996 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.377968073 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.377978086 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378031015 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378149033 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378160000 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378170013 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378187895 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378197908 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378206968 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378247023 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378256083 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378266096 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378283978 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378293037 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378302097 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378343105 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378353119 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378362894 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378371954 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378453016 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378463984 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378473997 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378492117 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378501892 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378510952 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378561020 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378571033 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378580093 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378660917 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378670931 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378679991 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378690958 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378709078 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378717899 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378727913 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378771067 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378781080 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378791094 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378801107 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378844976 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378854990 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378865004 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378916025 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.378926039 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.379007101 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.379015923 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.381326914 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:22.386677980 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386703014 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386723042 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386737108 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386765003 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386779070 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386792898 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386806965 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386821985 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386881113 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386894941 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386909008 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386953115 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386966944 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.386981010 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387006998 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387020111 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387123108 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387136936 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387151957 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387177944 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387192011 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387206078 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387294054 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387306929 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387321949 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387521982 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387536049 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387550116 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387574911 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.387588024 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:22.432598114 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:23.441817999 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:23.443912983 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:23.452013016 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:23.884440899 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:23.887746096 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:23.892640114 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.128776073 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.129918098 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:24.134846926 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.371366024 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.377590895 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:24.382631063 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.382674932 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.382704020 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.382781982 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.382810116 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.382838964 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.618850946 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.624598026 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:24.629556894 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.865973949 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:24.919804096 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:25.271023035 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:25.276079893 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:25.512325048 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:25.517458916 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:25.522433043 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:25.758289099 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:25.760828018 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:25.766628027 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:26.002301931 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:26.019005060 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:26.023843050 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:26.259515047 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:26.310401917 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:26.317219019 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:26.322078943 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:26.557678938 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:26.607306957 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:27.615250111 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:27.620218039 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:27.870209932 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:27.870704889 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:27.875515938 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:28.111219883 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:28.112082005 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:28.117162943 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:28.353301048 CEST19124973189.23.96.98192.168.2.4
                        Jul 11, 2024 10:52:28.404186964 CEST497311912192.168.2.489.23.96.98
                        Jul 11, 2024 10:52:28.446002007 CEST497311912192.168.2.489.23.96.98

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:04:51:57
                        Start date:11/07/2024
                        Path:C:\Users\user\Desktop\LkIQdqTVXS.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\LkIQdqTVXS.exe"
                        Imagebase:0x7ff76e320000
                        File size:2'538'496 bytes
                        MD5 hash:38220C00ACDE8EFF7C2FDB50A5E16DD1
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1931177967.0000024BF8400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:04:51:57
                        Start date:11/07/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\411eb279481e454fb468ac701336461b'"
                        Imagebase:0x7ff788560000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:04:51:57
                        Start date:11/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:04:52:02
                        Start date:11/07/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\677b00078d834750b687d58f584bec52'"
                        Imagebase:0x7ff788560000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:04:52:02
                        Start date:11/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:04:52:05
                        Start date:11/07/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe'"
                        Imagebase:0x7ff788560000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:04:52:05
                        Start date:11/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:04:52:08
                        Start date:11/07/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\JuMXGqLRKI.exe'"
                        Imagebase:0x7ff788560000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:04:52:08
                        Start date:11/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:04:52:09
                        Start date:11/07/2024
                        Path:C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe"
                        Imagebase:0x630000
                        File size:192'000 bytes
                        MD5 hash:FF675CB915A1BFBC7257942B2B247CA8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000000.1789181636.0000000000632000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1964737476.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1964737476.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\rVzBEyDXVq.exe, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 76%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:13
                        Start time:04:52:10
                        Start date:11/07/2024
                        Path:C:\Windows\System32\WerFault.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\WerFault.exe -u -p 7512 -s 836
                        Imagebase:0x7ff6393e0000
                        File size:570'736 bytes
                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >